# service rsyslog restart Step 3: Configure Rsyslog on Client Nodes. Configure Red Hat Enterprise Linux to receive event logs Set up a Syslog on Red Hat Enterprise Linux 6 or 7. Setup SysLog Server on CentOS 6 / RHEL 6. systemctl status rsyslog What’s next. Stack Exchange network consists of 175 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Restart rsyslog and review /var/log/messages for any rsyslog errors. On the client, open /etc/rsyslog. On client side Add the provided port to the firewall # iptables -A INPUT -p tcp --dport 10514 -j ACCEPT. d/rsyslogd restart) to activate configuration changes. Follow these steps: Download and install nxlog. Using rsyslog to Send Arbitrary Log Files to a Remote Host on RHEL / CentOS 7 Next bounce rsyslog to have it re-read the configuration file. systemctl restart. For all *nix-based clients you will need to edit the rsyslog. Now you should have working rsyslog server with LogAnalyzer up and running. To verify log on to your central system and open Command Prompt or. This page describes how to configure rsyslog or syslog-ng for encrypted logging. rsyslog upgrade fails with message "start request repeated too quickly, refusing to start. journaldを経由してrsyslogからログを飛ばして使用してたのですがこの状態だともはやどうしようもできません。 なのでjournaldを経由しないでCentOS6などでやっていたrsyslog側でsyslogを受け取って流す方法へ変更します。. Here in this tutorial you will learn about how to build a cluster by using elasticsearch, kibana, zookeeper, kafka and rsyslog. rsyslogd -N 1 If you make a change, you'll have to restart the rsyslog daemon. I have a question: whats is the best way to collect oracle database logs to SIEM? I mean, which level of local5. Once you save your changes, restart your rsyslog service [[email protected] ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [[email protected] ~]# As always, with any implementation, you should always test your changes to make sure it has worked. * :omrelp:127. log into /etc/rsyslog. We can force rsyslog to pick up the new log file by adding a postrotate command in logrotate. Configured in a client/server architecture, rsyslog can play both roles; as a syslog server rsyslog can gather logs from other devices, and as a syslog client, rsyslog can transmit its internal logs to a remote syslog server. Rsyslog is an open source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. $ sudo systemctl restart rsyslog $ sudo journalctl -f -u rsyslog. Myserver : 206 vim /etc/rsyslog. Specifically, you may want to have one log per each server, perhaps with the hostname in the filename. systemctl stop rsyslog obviously did not work, therefore I had to kill rsyslogd with kill $(. This page describes how to configure rsyslog or syslog-ng for encrypted logging. [email protected] [~]# service rsyslog restart Redirecting to /bin/systemctl restart rsyslog. Once rsyslog has read those files, you can forward their contents on to any output target supported by rsyslog, including a remote destination. log Categories Tech Tags mikrotik , routeros Post navigation. conf¶ Go to the /etc directory, and use vi, vim (vim Cheat Sheet), or the editor of your choice to modify the /etc/rsyslog. You will restart Splunk way more often than you would a syslog service on a dedicated server. systemctl stop rsyslog obviously did not work, therefore I had to kill rsyslogd with kill $(. d/rsyslog restart # To test on DUROTAN the rsyslog server, run tcpdump and send logs from THRALL sudo yum install tcpdump -y sudo tcpdump -i eth0 tcp port 6514 -X -s 0 -nn. * /var/log/anm. FreeBSD often is configured with syslogd set to both ignore incoming syslog messages and silently refuse to send outgoing ones. Rsyslog is an open source, client/server central log processing system. Use the GUI file editor. info, local1. Once rsyslog has read those files, you can forward their contents on to any output target supported by rsyslog, including a remote destination. Installing and configuring a LogAnalyzer on an Ubuntu Server This is a re-write of an article on Linux Journal that I found when researching the project. 1 References. Par défaut, le paquet openldap ne prévoit pas la rotation des logs. On 2010-10-14 20:06, jcdole wrote: > > Hello. Welcome to LinuxQuestions. And yes, you will be applying Splunk updates, doing rolling restarts if you get into Index Clustering etc. conf This conversion removes the AIX specific parameters and allows the newly created file to be used with the rsyslogd daemon. Some logs may also be in /var/log/syslog OR /var/log/messages. info, local1. conf" and enable "imudp" module by uncommenting the same. To test that log messages are being sent across the network, use logger (1) on the client to send a message to syslogd: # logger "Test message from logclient". Next install rsyslog-gnutls since we want to load gtls module for the secure remote logging to work. This file indicates to which server the messages will be sent. # service rsyslog start # chkconfig rsyslog on. Change to the folder to list all the log files. Publicado por. Modules now contain Bolt Tasks that take action outside of a desired state managed by Puppet. Failed to restart rsyslog. /etc/rsyslog. x is service rsyslog restart The command to restart the service in RHEL 7. As mentioned above the make install will install the rsyslog binary in /opt/sbin/. How to Setup A Centralized Log Server Using Rsyslog on Ubuntu 16. Sometimes - due to organizational requirements, security, indexing or plain convenience - we want to output all of our application logs to Linux's sysout. Okay, now that we have message reliability put in place, let’s test it out. It is also important to note that there is a difference between syslog, the protocol, a specific syslog application (like rsyslog) and a system log message store. In addition, rsyslog provides output flexibility by offering options such as TCP delivery and TLS encryption. sudo /etc/init. d/rsyslog restart. d/rsyslog, so you can edit the file in defense4all code files to solve this problem. Log Exporter is a multi-threaded daemon service, running on a log server. Configuring the tomcat. com) to achieve that and we can do this in 6 easy steps. conf) Before configuring Web Gateway rules, the syslog daemon configuration must be updated. But let’s take it one step further and have our application logs written to their own file in a json format. I've re-written it in my own words and added some content that was missing in the original article. Install RSYSLOG & LogAnalyzer on CentOS 6. service rsyslog restart. conf file and add the following line(x. sudo service rsyslog restart. 4 bydefault logging of haproxy was not enable. rsyslogd -N1. You can use Bolt or Puppet Enterprise to automate tasks that you perform on your infrastructure on an as-needed basis, for example, when you troubleshoot a system, deploy an application, or stop and restart services. On the client, open /etc/rsyslog. Contribute to rsyslog/rsyslog development by creating an account on GitHub. I highly encourage you to read chapter Chapter 25. rsyslog is a reliable and extended syslog daemon implementation with a modular design that supports several features, for example, filtering, TCP, encryption, and high-precision time-stamps, as well as output control. conf If you want to have a debug log with everything in it, comment out the existing debug entry and add. Once I was satisfied with it I checked /var/log/messages and realized it. systemctl restart rsyslog  After configuration of above, logs for kinds of authentication are recorded on Log Managed Server like follows. Interesting. com" blog is for informational purposes only. Rsyslog will already likely be installed on most popular distributions. Bug 1216957 - rsyslog restart pulls lots of older log entries again, runs into rate-limiting. - Just click Next - Create an Administrator account and click Next. This document assumes you want to get informational messages (level 6), and that gigin is your “inside” interface on the ASA. The command to restart rsyslog daemon can vary from one Linux distribution to another but in most cases this would be: #!bash sudo service rsyslog restart. Installs and configures rsyslog. Again, after making any changes, restart the rsyslog process on the server to make the changes take effect. You can use Bolt or Puppet Enterprise to automate tasks that you perform on your infrastructure on an as-needed basis, for example, when you troubleshoot a system, deploy an application, or stop and restart services. setup central SysLog server on Centos 7 7 November, 2015 Today I was searching for tools to centralize the logging of some 20 odd Linux servers, while this is no endpoint in my research, I "logged" the method I used to setup my test/demo servers using good old rsyslog. If you selected syslog-ng: Tell the Syslog daemon to listen on facility local_4 and to "Check Point", and to send the Syslog messages to the Azure Sentinel agent using port 25226. How does it Work. This problem is caused by the bug of rsyslog (maybe, I found on the other webs), you can use service rsyslog instead of /etc/init. conf If you want to have a debug log with everything in it, comment out the existing debug entry and add. CollectEventswithService 6. The openldap. Here you will find RHEL 7 instructions to configure a system to accept logging from a remote system. Conclusion. Does anyone know what is happening?. On the client, open /etc/rsyslog. Linux labels (auth, cron, ftp, lpr, authpriv, news, mail. As all configurations are in place, lets restart rsyslog service. Create rsyslog folder under /var/log : [[email protected] ~]# mkdir /var/log/rsyslog 9. , sudo service rsyslog restart) any time you change this configuration file, and inspect /var/log/syslog carefully for any errors reading and/or sending your log files. NetwrixAuditorOverview 4 2. Some logs may also be in /var/log/syslog OR /var/log/messages. * /var/log/dhcp. Basically, all this is doing is giving the rsyslog daemon a kick to tell it that the log files have just moved and it needs to re-open the file to continue logging. When we make some change we must restart the service by executing one of the following options: sudo service rsyslog restart sudo systemctl restart Rsyslog. How to config for sending Swift SAIO logs to ELK5 via Rsyslog This post is sharing my task for sending logs from rsyslog client ( Swift SAIO in this case ) to rsyslog server ( elk5 : ElasticStack 5. Syslog ¶ The latest version of syslog is actuall called rsyslog. To remain compatible to the sysklogd of doing HUP, rsyslogd does a full daemon restart when it is HUPed. size="5000". Command to restart rsyslog service on DebianUbuntu: service rsyslog restart If you are not root, use sudo before the command: sudo service rsyslog Query Admin System Administration Tips, Security, Internet. By using this deamon it’s possible to send logs from one server to another server. log Also, the script has permission for the /var/log/anm. While it started as a regular syslogd, rsyslog has evolved into a kind of swiss army knife of logging, being able to. When Cron runs the script, the script does not stop or start rsyslog. Rate limiting os rsyslog has advantages and disadvantages. It works when I run the script, but not when Cron runs it. The client hostname will appear for each log entry on the remote logging server. Step 4: restart rsyslog. Log Rotate Setup 1. Example: authpriv. And the last (“& ~”) forces Rsyslog not to try to find other matches for this message, otherwise it could be also stored to /var/log/messages, for instance, which is not what we are trying to get. (Almost all Debians come with rsyslog preinstalled. This is a problem because if someone accidentally restarts rsyslog or if another admin restarts rsyslog for some maintenance I will lose DNS logging all together. Specifically, you may want to have one log per each server, perhaps with the hostname in the filename. Install rsyslog yum install rsyslog * -y you have to stop syslog service then only it will work systemctl stop syslogd systemctl disable syslogd then start the rsyslog service systemctl start rsyslog systemctl enable rsyslog Step 5 Now we need to create db for rsyslog so make sql file with following content CREATE DATABASE rsyslog; USE rsyslog;. Red Hat Enterprise Linux 7; systemd-journald. Hi! There is 24 hours since installation of XenServer 7 was made. conf(5) for exact information. [email protected] [~]# service rsyslog restart Redirecting to /bin/systemctl restart rsyslog. Usually, Syslog messages are sent to port 514 via UDP. Note that this means a full rsyslogd restart is done. (Yes, Rsyslog can be nasty!) Check the Linux system log for Rsyslog errors. Next we configure RSYSLOG clients to send their syslog data to the rsyslog server: Configuring RSYSLOG Clients Usually all we need to do is configure the rsyslog. On most Linux distributions, rsyslog is the standard syslog daemon that comes pre-installed. Configure Log Analytics TCP Source Rule Using the Centralized Log Management UI, you can configure a source rule to extract log analytics fields from syslog messages over TCP. d/slapd restart /etc/init. Restart rsyslog # service rsyslog restart Shutting down system logger (rsyslog): [ OK ] Starting system logger (rsyslog): [ OK ] Now, you should be able to see your syslogs in MySQL database! Logging just some facilities. d/rsyslog restart Rotation des logs. This Oracle Solaris release includes the option of installing and using the rsrsyslog service for managing system logging. As you can see, each of them are coming from a facility called local4 and they have different priorities. You can then jump over to the RHEL01 host and check the logs to see the event generated by the client system RHEL02. We need to edit the rsyslog config file "/etc/rsyslog. Restart syslog: sudo /etc/init. We can force rsyslog to pick up the new log file by adding a postrotate command in logrotate. And under the new 'systemd' system: systemctl restart rsyslog. conf file and restart the service. Restart the rsyslog daemon. Messages can be saved locally or sent to a remote syslog server. Go to the /etc directory, and use vi, vim (vim Cheat Sheet), or the editor of your choice to modify the /etc/rsyslog. Well, I haven’t posted in a LONG time, but I ran into something I thought I’d share. /etc/rsyslog. It can’t contain both. I have to say that when you need smart filtering, for example, config setup may become very tricky. You don’t have to visit the client systems when you want to check the log files of your client systems. Systemctl startup problems for rsyslog-8. 2 copied to a hard drive, so it is *weird*. Restart the following two services: $ sudo service rsyslog restart $ sudo service cron restart Sample outputs: rsyslog stop/waiting rsyslog start/running, process 4004 cron stop/waiting cron start/running, process 4014 Now, where are cron errors logged in Ubuntu LTS server? You need to view /var/log/cron. conf I appended the following to the end of the file: local7. Once you have cleared the log, its cleared. File on disk are created only if there is need to, for example if rsyslog runs out of (configured) memory queue space or needs to shutdown (and thus persist yet unsent messages). In our case, we send only authentication logs to remote rsyslog server. service is masked. For this example, certificates generated by the openssl-utils script contained in the /opt/lce/tools directory will be used. 131 attached in zip file qradar_rsyslog_no_events. syslogd is not transmitting anything. TableofContents 1. log' for all messages from application named 'controller' using the simple format defined above. service: Unit rsyslog. # service rsyslog restart. How to configure rsyslog 7. On 2010-10-14 20:06, jcdole wrote: > > Hello. This has, among others, the consequence that TCP and other connections are torn down. killall -HUP rsyslogd 2. * /var/log/anm. #!/bin/bash # # Deletes stale rsyslog "state" files, appends a timestamp to the new filename in /tmp & restarts rsyslog. sudo service rsyslog restart. a Rocket-fast SYStem for LOG processing. d/rsyslog restart or service rsyslog restart for Ubuntu and confirm it is running on the specified port with for example netstat -ntlp | grep rsyslog. Is there a config option somehow that can tell rsyslog to create a log file if not there before appending traces to it? Note: doing a service rsyslog restart will force creation of an empty log file. Install Rsyslog and LogAnalyzer on Centos 6 Paolo Valsecchi 16/07/2013 5 Comments Reading Time: 3 minutes Rsyslog and LogAnalyzerare tools that help administrators to collect the systems log in a centralized place and facilitates the data analysis. The de facto system logger on Linux systems is. Use the following configuration information to use rsyslog to collect and send syslog to your USM Anywhere Sensor. Having searched on the web for a simple, better open-source solution for this, the ideal solution seemed to be Rsyslog collector. service rsyslog restart Search Remote Log File. Interesting. I want to send the tomcat logs to syslogs servers in redhat 7 as follows: 1. sudo systemctl restart rsyslog To check which rsyslog sockets in listening state are opened on a Debian Linux system, you can execute the netstat command with root privileges. This section describes how to configure the logging of alert messages to the syslogd daemon and how to configure the operating system to accept syslog alerts. Use the chkconfig command to ensure the rsyslog service starts automatically in future. Sending Syslog via AMQP into Graylog. Very usefull. Another command that provokes log messages is su, used to switch user. # service rsyslog restart. Now we have some application that uses system syslog with some tag on it’s messages. rsyslog will also be configured to dump to a file, and this file will be rotated monthly using the usual logrotate scripts. We need to edit the rsyslog config file "/etc/rsyslog. Please note that restart-type HUP is depricated and will go away in rsyslog v5. syslog is installed. 9 with TLS If you’re looking to encrypt syslog transmissions between client and server, you can do so via rsyslog with TLS. You should see a new log with no errors. 4、使用刚才安装的rsyslog-mysql程序包文档目录下的sql文件创建rsyslog数据库: 使用rpm -ql rsyslog-mysql 查询并找到该sql文件 使用该文件创建数据库 mysql -u root -p < mysql-createDB. 2 copied to a hard drive, so it is *weird*. The systemd journal limit is hit before any default rsyslog limits as its default limits are smaller. systemctl restart rsyslog. privileges to complete this procedure. Sending Syslog via AMQP into Graylog. conf file and add the following line(x. It offers high-performance, great security features and a modular design. Myserver : 206 vim /etc/rsyslog. We’re going to configure rsyslog server as central Log management system. $ service rsyslog stop $ rm -f /var/spool/rsyslog/* $ service rsyslog restart If spool files have not been re-created after restart, try to restart again. systemctl restart rsyslog To test if rsyslog works fine, try a test. The tag local_ip indicates the manager IP. Restart your rsyslog daemon with service rsyslog restart or systemctl restart rsyslog and open the port you chose on your firewall for all IPs that will be sending syslog messages to your logging server. conf) Before configuring Web Gateway rules, the syslog daemon configuration must be updated. On client side Add the provided port to the firewall # iptables -A INPUT -p tcp --dport 10514 -j ACCEPT. File on disk are created only if there is need to, for example if rsyslog runs out of (configured) memory queue space or needs to shutdown (and thus persist yet unsent messages). we will be using rsyslog with a 3rd party program, LogAnalyzer. After a restart of Rsyslog you should see syslog messages getting shipped to your remote server, if you want to see exactly what Rsyslog is doing you can add the following lines into rsyslog. Its running inside KVM if it matters. lunes, mayo 06, 2013. Make sure you have Rsyslog version 5. I was testing the chrony/ntp services on a RHEL7 VM and was resetting its time as well as the host's. Modern linux distributions are using the rsyslog daemon for syslogging. Here is a screenshot that demonstrates the problem: As you can see, the message field shows the data is prepended with a timestamp, which is causing the import_json input to fail as it's not valid JSON data. After adding the above lines to the rsyslog. Actually, it is a rsyslgod stop immediately followed by a restart. Several archival (non-compressed) files will also be configured in LogAnalyzer for historical purposes. Change to the folder to list all the log files. Click Here - streamed recently - subscribe to get a heads up for next time!. " initscript rsyslog, action "restart" failed. Restart the rsyslog server: systemctl restart rsyslog Still on the server: Now we need to generate a key pair for our client that is trusted and signed by the CA. Now all the message logs are sent to the central server and also it keeps the copy locally. Okay, now that we have message reliability put in place, let’s test it out. As you probably guessed it, for every incoming message, rsyslog will interpolate log properties into a JSON formatted message, and forward it to Logstash, listening on port 10514. Syslog ¶ The latest version of syslog is actuall called rsyslog. [[email protected] ~]# yum -y install rsyslog-gnutls. This should only be done in the GUI using the File Editor. We do this on the same machine (the server) that we created the ca-cert. If you restart the Splunk indexer you are sending to, you lose syslog data. Environment. While it started as a regular syslogd, rsyslog has evolved into a kind of swiss army knife of logging, being able to. * /var/log/anm. Head over to rsyslog server and navigate to the /var/log/ folder to find a folder by the name same as hostname of remote client. log into /etc/rsyslog. So things have been running along just swimmingly in my lab environment for quite a while, so I got a little lax at checking logs. log' for all message coming from remote machines using the simple format defined above. Here is the example with the INPUT chain having the last rule to be a REJECT one. Stack Exchange network consists of 175 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. And same log information we will see in rsyslog server. In order to apply any changes made to rsyslog configuration file, you must restart the daemon to load the new configuration. For an introduction to rsyslog, see this video of Rainer Gerhards. sudo service stackify-agent restart Rsyslog will now forward all the messages to UDP port 10514. Please see the external link to rsyslog. A disadvantage is that it's possible that a lot of useful log records are missed due to the rate limiting of rsyslog. Restart rsyslog and you should. I've re-written it in my own words and added some content that was missing in the original article. # service rsyslog start # chkconfig rsyslog on. This file indicates to which server the messages will be sent. As I mentioned in the Gentoo section, it is a little rough to read if your terminal is not wide enough, but you can verify that the logs are going to the database with ~# mysql -p -e "SELECT * FROM Syslog. Logstash : part of the ELK stack, Logstash will transform logs from the syslog format to JSON. Is there a config option somehow that can tell rsyslog to create a log file if not there before appending traces to it? Note: doing a service rsyslog restart will force creation of an empty log file. And check status of it once restarted. service is masked. # systemctl restart rsyslog. The wrinkle is that we aren't a Java shop, so installing java on our hosts just to ship logs back to a central Logstash indexer is something we'd like to avoid. [[email protected] ~]#. syslog is installed. At least two indexers with http event collector, more = better. The rsyslog service is configured using the "/etc/rsyslog. notice -t from_cmd_line "Test Message". One of the most common tasks after you configure your remote servers to ship logs into your new RSyslog collector is to start logging events into separate log files. The changes must be made on a per-appliance basis, so different appliances in a cluster can have different configurations here. How to Setup Rsyslog Remote Logging on Linux - Every Linux distribution comes with some logging systems to record system activities. Some logs may also be in /var/log/syslog OR /var/log/messages. Sysklogd provides two system utilities which provide support for system logging and kernel message trapping. rsyslog syslog-ng is a syslog implementation which can take log messages from sources and forward them to destinations, based on powerful filter directives. log' for all messages from application named 'controller' using the simple format defined above. rsyslog : used as an advancement syslog server, rsyslog will forward logs to Logstash in the RFC 5424 format we described before. conf(5) for exact information. Once you have cleared the log, its cleared. Restart the syslog daemon sudo service rsyslog restart. rsyslog Provisioning. Among others, it is able to buffer messages that were received, but could not yet be processed. Restart rsyslog with sudo service rsyslog restart. service b – Demonstrating message reliability. In out setting the bulkmode="on" and set "queue. # service rsyslog restart Firewall. How do I restart NTPD server or service on a Debian/Ubuntu / RHEL / Red Hat Enterprise / Fedora / CentOS Linux operating systems? On Linux Network Time Protocol service name can be any one of the following: After. ~# service rsyslog restart. After an service rsyslog restart or /etc/init. You can use DSCC to perform this task. You must see,a directory with hostname of your. From here onwards, I shall be using rsyslog and syslog interchangeably as What gets logged by rsyslogd daemon and where it goes is controlled by /etc/rsyslog. After configuring Rsyslog centralized server, lets configure clients system to send there logs to central Rsyslog server. Rsyslog is logging server used in Linux systems. Save the file and restart syslogd by doing: sudo service rsyslog restart. I highly encourage you to read chapter Chapter 25. Step 4 - Lastly, we just need to restart the rsyslog service in the VCSA for the changes to go into effect by running the following command: systemctl restart rsyslog If everything was configured successfully, we should start to see entries from both ssoAdminServer. To remain compatible to the sysklogd of doing HUP, rsyslogd does a full daemon restart when it is HUPed. Use the service command to start the rsyslog service. d/slapd restart /etc/init. Try using the following command:. Next we configure RSYSLOG clients to send their syslog data to the rsyslog server: Configuring RSYSLOG Clients Usually all we need to do is configure the rsyslog. Restart the rsyslog service: # service rsyslog restart The restart should have triggered the /var/log/shorewall. On client side Add the provided port to the firewall # iptables -A INPUT -p tcp --dport 10514 -j ACCEPT. First log into the rsyslog host that will receiving the. conf file and restart the service. /var/log/messages is still zero size. If you are interested in just the dhcp syslog messages, then add local7. 4 minimal installation,rsyslog version 5. Viewing and Managing Log Files of RHEL documentation. From vrouter (as the rsyslog client) or the rsyslog server:. For a simple rsyslog config validation. Configuration changes have to be followed by a restart of the service. If one of your Linux hosts is running SELinux and rsyslog, you may be running into issues receiving logs from from this host on one of your Nagios Log Server nodes. Create rsyslog folder under /var/log : [[email protected] ~]# mkdir /var/log/rsyslog 9. I restarted rsyslog and again it tried to copy everything since bootup into the new /var/log/messages. This is a problem because if someone accidentally restarts rsyslog or if another admin restarts rsyslog for some maintenance I will lose DNS logging all together. This logs correspond to me connection from home to the server, still the time did not matched, so I went on to see of Rsyslog was logging with UTC and google helped. First, open "/etc/rsyslog. Rsyslog is logging server used in Linux systems. to syslog and its alternatives syslog-ng and rsyslog. Goal: Two VMs with common VIP for NSPOF Syslog server for demo environment (reflective of large corporate which would need that degree of HA for syslog). Go to the /etc directory, and use vi, vim (vim Cheat Sheet), or the editor of your choice to modify the /etc/rsyslog. To collect the Windows Eventlogs, configure nxlog (version 2. # service rsyslog restart NOTE: Replace remote-hostname with the actual hostname of the remote log server, and we use one @ for UDP and @@ for TCP communicate. info is better? local5.