How to configure rsyslog to write to a MySQL database and log to a remote servers on Ubuntu

Installing MySQL and rsyslog-MySQL

sudo apt-get install mysql-server rsyslog-mysql

• Set the root MySQL password when prompted and remember this password, since you will be using it in future;
• When installing the rsyslog-mysql package, you are prompted to create a database for the logging. Unless you know what you are doing, choose "YES" here;
• You will be prompted for the root MySQL password again, enter it;
• Then you will be prompted for a new password for the MySQL rsyslog user. You will need this password if you are going to be accessing the database later.

If it was not added, you need to add the MySQL module to your rsyslog configuration. In Ubuntu you can create a file in /etc/rsyslog.d/mysql.conf and add the following in the file:

$ModLoad ommysql

*.* :ommysql:localhost,Syslog,rsyslog,password

You will of course have to enter your rsyslog user's password where it states "password".

Then restart rsyslog with

sudo service rsyslog restart

At this point you will have a running rSyslog server that write the logs to the database and to the syslog files.

Remote logging

In the /etc/rsyslog.conf, uncomment the following 2 lines:

$ModLoad imudp

$UDPServerRun 514

To send all logs to the log server, edit /etc/rsyslog.d/50-default.conf, append the following rule to all default rules:

*.*     @10.103.11.206

Restart rsyslog

sudo service rsyslog restart