Information
The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead.
Rationale:
Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system
Note: Ensure that the selection of logfiles being sent follows local site policy
Solution
Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add one of the following lines:
Newer syntax:
<files to sent to the remote log server> action(type='omfwd' target='<FQDN or ip of loghost>' port='<port number>' protocol='tcp'
action.resumeRetryCount='<number of re-tries>'
queue.type='LinkedList' queue.size=<number of messages to queue>')
Example:
*.* action(type='omfwd' target='192.168.2.100' port='514' protocol='tcp'
action.resumeRetryCount='100'
queue.type='LinkedList' queue.size='1000')
Older syntax:
*.* @@<FQDN or ip of loghost>
Example:
*.* @@192.168.2.100
Run the following command to reload the rsyslog configuration:
# systemctl restart rsyslog