Sending copy of logs to the remote syslog server

[InteractM]

Is there any way to send copy of logs from cPanel to the remote syslog server?

Thanks

 

[cPanelMichael]

Hello

You could setup a cron job that manually transfers specific log files to the remote server via SFTP or SCP.

Thank you.

 

[InteractM]

So there is no way to send it over port 514?

 

[cPanelMichael]

There is no native support with cPanel to configure syslogd to store log files on a remote server. However, you could install rsyslogd and make custom changes to allow for it. Here is a basic guide that may be helpful:

1. Uncomment the remote host line and add the remote server's IP address in /etc/rsyslog.conf:

Change

 #*.* @@remote-host:514

to

*.* @@<remote_host_IP_address>:514

2. Make sure the remote syslog host is configured to allow in port 514 from your cPanel server.

3. Restart rsyslogd on your cPanel server with "/scripts/restartsrv_rsyslogd".

Once you have verified that remote syslog is working, you may wish to adjust some of the forwarding parameters that appear in this section of /etc/rsyslogd.conf:

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

Thank you.

 

[InteractM]

Well, I have uncommented the remote host line and changed to (on cPanel server)

*.* @@A.B.C.D:514

Then went to A.B.C.D and added cPanel server IP to the AllowedSender lines (for TCP and UDP). Restarted rsyslog on both servers. So far I'm not getting anything from cPanel server (I'm getting logs from other servers or devices).

Any thoughts?

Thanks

 

[cPanelMichael]

The following third-party URL may also contain useful information:

Rsyslog Remote Logging

You can also try the Rsyslog forums at:

Rsyslog Forums

Thank you.

 

[InteractM]

It is not an issue with centralized syslog server, because that one works fine (as I mentioned above) but cPanel server is not forwarding anything to the centralized syslog server. For an example Webmin servers didn't have that kind issue.

 

[cPanelMichael]

I am not aware of any cPanel limitations that would be preventing it from working as intended. It's typically outside the scope of support to assist with custom modifications, but you are welcome to open a support ticket if you feel this issue is directly related to an issue with cPanel:

Submit A Ticket

You can provide the ticket number here so we can update this thread with the outcome.

Thank you.

 

[InteractM]

OK guys - I have that resolved. Issue was with forwarding logs to a remote syslog server via TCP using private IP

Here is a workaround:

Edit local /etc/rsyslog.conf and add that line:

*.info;mail.none;authpriv.none @<remote-syslog-server-ip>:514

Edit remote /etc/rsyslog.conf and add that line:

$AllowedSender UDP, X.Y.Z.0/24
$AllowedSender TCP, X.Y.Z.0/24

where X.Y.Z is your public IP from where logs are forwarded.