Following on from my previous post on the Pi, I thought I’d quickly document the process to use it as a log forwarder (well, a syslog forwarder).

The Rasbian distribution already comes with rsyslogd installed, so we only need to make a few tweaks to the /etc/rsyslog.conf file.

First was to uncomment the lines at the start of the file to enable remote reception of events:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Then to add some additional global configuration to enable the caching (in memory, and only resorting to disk when absolutely necessary) of messages:

$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName srvrfwd  # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

Then to add a rule to forward the entries I’m interested in (IP’s are not real):

#Forwarding
if $fromhost-ip == '192.0.0.0' then @192.0.0.0
& ~
#End forwarding

And that's it. One syslog forwarder. Next I’ll probably post about the app I’ve written to receive, index and allow easy access to the syslog data Smile

The whole reason I did this was to capture data from my router, and move it to a database on my desktop – when it’s on. I don’t want to leave my desktop on all the time, as that’s a massive waste of electricity, and the Pi solves it with a neat and tidy, low power solution.