Sending copy of logs to the remote syslog server

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
There is no native support with cPanel to configure syslogd to store log files on a remote server. However, you could install rsyslogd and make custom changes to allow for it. Here is a basic guide that may be helpful:

1. Uncomment the remote host line and add the remote server's IP address in /etc/rsyslog.conf:

Change

Code:
 #*.* @@remote-host:514
to

Code:
*.* @@<remote_host_IP_address>:514
2. Make sure the remote syslog host is configured to allow in port 514 from your cPanel server.

3. Restart rsyslogd on your cPanel server with "/scripts/restartsrv_rsyslogd".

Once you have verified that remote syslog is working, you may wish to adjust some of the forwarding parameters that appear in this section of /etc/rsyslogd.conf:

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
Thank you.
 

InteractM

Well-Known Member
Apr 2, 2013
135
1
18
cPanel Access Level
Root Administrator
Well, I have uncommented the remote host line and changed to (on cPanel server)

*.* @@A.B.C.D:514

Then went to A.B.C.D and added cPanel server IP to the AllowedSender lines (for TCP and UDP). Restarted rsyslog on both servers. So far I'm not getting anything from cPanel server (I'm getting logs from other servers or devices).

Any thoughts?

Thanks
 

InteractM

Well-Known Member
Apr 2, 2013
135
1
18
cPanel Access Level
Root Administrator
It is not an issue with centralized syslog server, because that one works fine (as I mentioned above) but cPanel server is not forwarding anything to the centralized syslog server. For an example Webmin servers didn't have that kind issue.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
I am not aware of any cPanel limitations that would be preventing it from working as intended. It's typically outside the scope of support to assist with custom modifications, but you are welcome to open a support ticket if you feel this issue is directly related to an issue with cPanel:

Submit A Ticket

You can provide the ticket number here so we can update this thread with the outcome.

Thank you.
 

InteractM

Well-Known Member
Apr 2, 2013
135
1
18
cPanel Access Level
Root Administrator
OK guys - I have that resolved. Issue was with forwarding logs to a remote syslog server via TCP using private IP

Here is a workaround:

Edit local /etc/rsyslog.conf and add that line:

*.info;mail.none;authpriv.none @<remote-syslog-server-ip>:514

Edit remote /etc/rsyslog.conf and add that line:

$AllowedSender UDP, X.Y.Z.0/24
$AllowedSender TCP, X.Y.Z.0/24

where X.Y.Z is your public IP from where logs are forwarded.