[CentOS] remote logging with rsyslog

Tue Feb 19 15:16:43 UTC 2013
Nelson Green <nelsongreen84 at hotmail.com>

This is a similar post to one I've made on the rsyslog list that has received
no responses after four days, so I figured I'd try here since the problem
seems to be CentOS specific. This is also my second attempt to send it to
this list as the first seems to have never showed up.

I am trying to test remote logging between two CentOS 6.3 systems and unable
to get the client logs to show up on the server, using the RELP module.

First of all, the client is a stock install of CentOS 6.3 running rsyslog
v5.8.10. I inherited the server, but the change logging that we keep indicates
it is pretty much stock too, and it is v5.8.10 as well.
 
On the server, I added to /etc/rsyslog.conf:
    $ModLoad imrelp
    $InputRELPServerRun 20514
 
And restarted the daemon:
    sudo service rsyslog restart
    Shutting down system logger:                               [  OK  ]
    Starting system logger:                                    [  OK  ]
 
On the client, I added to /etc/rsyslog.conf:
    $ModLoad                   omrelp
    $WorkDirectory             /var/spool/rsyslog
    $ActionQueueType           LinkedList
    $ActionQueueFileName       syslogfwd
    $ActionQueueMaxDiskSpace   10g
    $ActionResumeRetryCount    -1
    $ActionQueueSaveOnShutdown on
    *.*                        :omrelp:xxx.xxx.xxx.xxx:20514
 
And restarted the daemon:
    sudo service rsyslog restart
    Shutting down system logger:                               [  OK  ]
    Starting system logger:                                    [  OK  ]
 
Nothing ever showed up on the server, so I started going through the
troubleshooting steps, which includes running the client in foreground mode
and logging debug output:
    sudo service rsyslog stop
    sudo /sbin/rsyslogd -dn > /tmp/rsyslog.debug
 
However, as soon as the service started in the foreground, log entries began
showing up on the server. But when I stop the foreground service and restart it
as a background service, the log entries quit showing up at the server.

I can change things around so that tcp is used instead of RELP, and everything
works that way. The problem is specific to using RELP in the normal background
mode. I also tested the above RELP configuration on two Debian Wheezy boxes,
each running rsyslog v5.8.11, and everything worked as expected. So the problem
seems to be specific to CentOS with RELP.

Has anyone gotten this to work on CentOS?
 
Thanks,
Nelson