Hi Patrick Gosselin, Many thanks for watching this video. Hope you found it useful. Thanks, Venkat

Thanks for watching. Cheers.

Hi Sahr Lebbie, Many thanks for watching this video. Hope you found it useful. Thanks, Venkat

Hi Corey Cox, Many thanks for watching this video. Hope you found it useful. Thanks, Venkat

Hi Stephen Alexander, Many thanks for watching this video. Hope you found it useful. Thanks, Venkat

Thanks Waris

Hi Nadzya, thanks for watching. Cheers.

Thanks for watching

Hi Hamza, thanks for watching. Cheers.

Hi Santhosh S T, Many thanks for watching this video. Hope you found it useful. Thanks, Venkat

Hi Brain I/O, Many thanks for watching this video. Hope you found it useful. Thanks, Venkat

Hi Bodhisattwa Ghosh, Many thanks for watching this video. Hope you found it useful. Thanks, Venkat

Glad that it helped you. Thanks for watching!!

Thanks for watching.

Umask doesn't matter. Are you sure you followed the video and rsyslog.conf configuration line by line. Please give it another try from "5:30". If you couldn't see the configuration clearly, it is the below three lines that you need to add to rsyslog.conf and don't forget to restart the rsyslogd service. $template RemoteLogsTesting,"/var/log/remotehosts/%HOSTNAME%/%now%.log" if $fromhost-ip != '127.0.0.1' then -?RemoteLogsTesting & stop Thanks

Hi Sonnet, Thats definitely possible. I just read an article from RedHat knowledge Base. IMPORTANT: Only works if you configure TCP (reliable guaranteed delivery of packets) forwarding with "@@" and not UDP (not reliable protocol) Configure two central log servers in the client's /etc/rsyslog.conf as below *.* @@central-log-1 $ActionExecOnlyWhenPreviousIsSuspended on &@@central-log-2 This will forward logs to central-log-1 server and if it can't be reached or it is powered down, the logs will be forwarded to central-log-2. IMPORTANT: On both the central log servers, where you collect clients logs (for eg: /var/log/remotehosts), it has to be NFS and mounted readwrite on both the central log servers. Otherwise if you use local filesystem then you will end up having log files in two places. Hope this makes sense Thanks

After following my video from "5:30", did you restart rsyslogd service? The configuration you need to add as mentioned in the video is $template RemoteLogsTesting,"/var/log/remotehosts/%HOSTNAME%/%now%.log" if $fromhost-ip != '127.0.0.1' then -?RemoteLogsTesting & stop Thanks

Hi Panneer, You can do that. But its not straight forward. For example, if you wanted to forward Apache logs to a central log server via rsyslog forwarding, you will have to do something like below. Configure Apache to log using rsyslog. Have a look at below documentation on how to use the "pipe" argument on CustomLog directive httpd.apache.org/docs/current/mod/mod_log_config.html#customlog For eg; CustomLog "|/usr/bin/logger -t apache -p local6.info" combined ErrorLog "|/usr/bin/logger -t apache -p local6.err" That should be it. Apache after restart, should start logging to syslog facility and rsyslog will forward to centralzed log server. Hope this gives you some direction to explore further. Thanks.

Hi Jose, I guess you mean, on the server side you wanted all the clients to write to a single file instead of one per machine. You can do that. In the video at "5:45" I demonstrated how to configure rsyslog.conf to allow clients to log into separate file under /var/log/remotehosts//.log If you want all clients to write to same file, then just use the below line $template RemoteLogsTesting,"/var/log/remotehosts/allclients.log" And follow rest of my video. The more ideal way would be to use Splunk for these. If your organization has Splunk server, you can install Splunk Forwarder on each client or just on the centralized log server and forward logs to Splunk Server. In this case you can look at the bigger picture. Splunk is vast and apt for logging,searching,visualizing. Hope this was useful. Thanks.

Hi Muhammad, the idea of centralized logging is to allow a system (client) to forward its logs **realtime** to a centralized server. This is useful since you can have one stop shop for all your client logs instead of logging into each of them. Not just that, it is also useful when security of client machine is compromised and intruder gets hold of the system. The intruder can do whatever he wants and manipulate the log files to make you believe that nothing happened. If you had centralized logging enabled, it is always recorded. Also you can control logrotation for all clients in one place on the centralized server. Given all these usecases, I don't understand why you want to copy rotated log files to another server. May be you wanted to backup and retain those logs. You can do that via a cron job on the client that rsyncs the pattern matching log files to a remote server. Hope this makes sense. Thanks

Hi Sudhir, thanks for watching. I did this video more than 5 years ago. I am glad that it is still relevant. I need to revisit this to be able to help you. Let me see if I can get some time for this.

@@justmeandopensource thank you very much Venkat.

Hi Aron, thanks for watching this video. As per the setup shown in this video, you will see one directory per client machine in /var/log/remotehosts directory. Under each of those directory you will see log files per day. You can configure log rotation to do what you want. You can create a config file under /etc/logrotate.d directory. Thanks

@@justmeandopensource Thanks for your responce, I am trying with this but not works, vi /etc/logrotate.conf /var/log/remotehosts/* { ifempty size 0 postrotate /usr/bin/find /var/log/remotehosts/ -name "*.log.*" -type f -mtime +7 -exec rm -f {} \; endscript } Could you please provide the commands to do that? Thanks a lot!!

@@aronb.acostagarcia9784 just noticed in you postrotate block, in your find command you have "*.log.*" which won't match anything. Try changing that to "*.log". But there are other elegant ways without using the hacked way of using postrotate block. That block is to do something when the log has been rotated.

Hi, thanks for watching this video. I believe its possible but not out of the box. You have to install some third party softwares for that. Check the below blog post which looks promising with datagram-syslog agent. yallalabs.com/windows/how-to-forward-windows-system-event-logs-to-a-linux-syslog-server/ There are also other softwares that can do the same thing. But I haven't tried any of them. Cheers.

Yeah that makes sense. I should have thought about it from viewers point of view. Thanks for your feedback and I will make sure I use appropriate conventions for naming.

Hi Eric, Thanks for watching my video. I wasn't sure whether we could forward Windows event logs to a Linux rsyslog server. But when I searched, I found the below serverfault link where someone already asked the same question. And there seems to exist few options. I have got many videos in the pipeline that I need to work on. And if I get some time, I will check this and if something seems to be working, I will definitely make a video of it. Thanks, Venkat

@@justmeandopensource i appreciate your response, also doing checks if i get something on it i would push the link to you. You know centralized log system is a big thing now so it would really help if rsyslog could very flexible with other operating systems or devices such as windows, CISCO, and others to push logs.

Hi Eric, I don't think I pasted the link in my previous comment. Here it is. serverfault.com/questions/422800/forward-windows-events-logs-to-rsyslog/427036 Yes Centralized Logging is a big thing now a days. Just wondering whether you thought about Splunk or Elastic Search which are widely used. ELK stack especially is a good one. You can install an agent and forward logs/metrics from any device/OS. I did a video on ELK stack recently. If you are interested, you can check it out at kzbin.info/www/bejne/eZfFkqGfpJh_l9E and see if thats helpful. Thanks, Venkat

@@justmeandopensource okay sir, will check and revert

Hi, thanks for watching this video. You want the logs to be sent to a tor server? Is that a syslog service? Or do you want your tor server logs to be forwarded to a central syslog server?

@@justmeandopensource Hi thanks for the reply first thing first what a great video you made thanks well Im looking into security/hardening my centos servers I will have a few each server running different thing like one will be running nginx and php one will be running mysql so on i would like to make a central logserver where all my other servers will send logs to this server so i can monitor all log from one server but this server will be hidden within tor so the central server will be hosted on tor

@@aaammm1888 If your client machines can talk to the central log server in a consistent way, then there shouldn't be any problem. What is the exact issue you are facing? Is your central log server not accessible? Is its IP constantly changing?