Send Logs to Remote Host

TNSR can send log data to a remote log server reachable through the host namespace using the rsyslog service. This feature allows that server to receive log data from a TNSR host so it can be processed externally. This feature does not affect local logging behavior.

Tip

Using a remote log server is a best practice for long-term log storage, monitoring, and analysis. This method is commonly used for compliance with various regulations or policies for log retention.

Warning

Log data may contain sensitive information and remote logging is not encrypted. Log data should only be sent to remote log servers over a secure direct connection or via encrypted transport such as a VPN.

Note

At this time, this feature only supports the host namespace.

Remote Logging Configuration

To configure remote logging, define one or more remote logging servers. Starting from config mode, use the logging remote-server <name> command which enters config-log-remote mode.

The following commands are available within config-log-remote mode to configure a remote logging server:

address (<fqdn>|<ipv4-addr>|<ipv6-addr>):

Defines the remote address of the log server, which can be a fully qualified domain name (hostname), IPv4 address, or IPv6 address.

This command is required.

port <port>:

Defines the destination port on the server address to which the daemon will send log data.

This command is required.

Note

This only controls the destination port. The daemon always randomizes the source port and the server must accept log messages from any source port.

transport-protocol (tcp|udp):

Controls which transport protocol the daemon will use to send log data to the server. The server must be configured to match.

This command is required.

filter syslog-facility (all|<facility-name>) [priority <priority-name>]:

Defines a filter which limits the log data the daemon will send to the remote log server. This can either be a specific facility name, or a facility name and priority. This command can be repeated to configure multiple filters.

This command is optional.

syslog-facility (all|auth|authpriv|cron|daemon|ftp|kern|local[0-7]|lpr|mail|news|syslog|user|uucp):

Limits log messages to only those using a specific log facility. Log sources use these facilities to describe which part of a system generated a log message.

priority (debug|info|notice|warning|err|crit|alert|emerg):

Limits log message output to messages with the given priority level and higher. The order of priorities is as listed above. For example, if priority crit is specified, that also includes messages for alert and emerg priorities.

Remote Logging Example

The following example covers configuring TNSR to send all log data to a remote log server at 198.51.100.52 on UDP port 512 which is directly reachable from the host namespace.

The server configuration will vary by implementation and is out of scope for this basic example. At a minimum it must allow incoming log data from any source port on the IP address of the host management interface for this TNSR instance.

Warning

The rsyslogd daemon sends log messages from a randomized source port. Some log servers only accept log messages from a source port of 514 by default or they may route messages differently depending on the source port. Ensure the log server is configured to allow incoming log messages from any source port.

Starting from config mode, run the following commands to configure the example log server:

tnsr(config)# logging remote-server loghost
tnsr(config-log-remote)# address 198.51.100.52
tnsr(config-log-remote)# port 514
tnsr(config-log-remote)# transport-protocol udp
tnsr(config-log-remote)# exit
tnsr(config)#