On your syslog host, here are the lines that must exist in syslog.conf in order to enable reception of messages over UDP.
Code:
[host]# grep -A 2 Provides.UDP /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
Also in syslog.conf on the syslog server, you should specify the facility, severity, and log location for messages from the client hosts as follows. This is done so that you will have a single source of messages from client hosts to look through, instead of having the clients' messages mixed in with those sent by the local host
Code:
# Other Hosts logs
local6.* /var/log/yourhosts/syslog.log
Your /etc/logrotate.d/syslog should be changed on the syslog host to look like the following. This ensures that the hosts' logs are properly rotated and compressed, and that enough historical log data is retained for forensic purposes.
Code:
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/yourhosts/syslog.log {
daily
missingok
rotate 26
compress
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
Endscript }