Hey Lana, let's work through getting your Nginx logs forwarded to a remote server properly using rsyslog. I'll break this down into clear steps so you can spot where your current config might be missing something.

Step 1: Make sure Nginx sends logs to syslog first #

Before rsyslog can forward anything, Nginx needs to be configured to send its logs to the local syslog socket instead of just writing to local files. Open your Nginx config (either the main nginx.conf or a site-specific config file) and update the access_log and error_log directives like this:

# For access logs: send to local syslog with a unique tag for filtering
access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,severity=info;

# For error logs: same approach, but with a different tag and severity
error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,severity=warn;

The tag here is key—it lets rsyslog easily identify which logs belong to Nginx. Save the config and restart Nginx with sudo systemctl restart nginx to apply changes.

Step 2: Configure rsyslog to forward the filtered logs #

Now head over to /etc/rsyslog.conf to set up the forwarding rules. First, double-check that the necessary modules are loaded (most systems enable these by default, but it's good to confirm):

$ModLoad imuxsock  # Handles local syslog messages from /dev/log
$ModLoad omfwd     # Enables forwarding to remote syslog servers

Next, add the rules to match Nginx's tagged logs and send them to your remote server. Replace remote-server-ip with the actual IP or hostname of your target server, and note that:

• @@ uses TCP for more reliable delivery (recommended)
• @ uses UDP (faster but less reliable)

# Forward Nginx access logs to remote server
if $programname == 'nginx_access' then @@remote-server-ip:514
# Forward Nginx error logs to remote server
if $programname == 'nginx_error' then @@remote-server-ip:514

# Optional: If you don't want to keep copies of these logs locally, add "& ~" after each rule
# Example: if $programname == 'nginx_access' then @@remote-server-ip:514; & ~

Step 3: Set up the remote server to receive logs #

Don't forget the remote side! On the server that's supposed to receive the logs, you need to configure rsyslog to listen for incoming connections. Edit its /etc/rsyslog.conf and add:

# For TCP (if you used @@ in the forward rule)
$ModLoad imtcp
$InputTCPServerRun 514

# For UDP (if you used @ in the forward rule)
$ModLoad imudp
$UDPServerRun 514

Restart rsyslog on the remote server too: sudo systemctl restart rsyslog. Also, make sure the firewall on both servers allows traffic on port 514 (TCP or UDP, depending on what you chose).

Common mistakes to check #

• You forgot to update Nginx's config to send logs to syslog (rsyslog can't forward logs that are only sitting in local files like /var/log/nginx/access.log)
• The tag in Nginx's config doesn't match the $programname filter in rsyslog
• The remote server's rsyslog isn't listening on the correct port, or the firewall is blocking traffic
• You used the wrong syntax for forwarding (@@ vs @)

Test it out #

After setting everything up, restart rsyslog on your Nginx server: sudo systemctl restart rsyslog. Then generate some traffic (visit your Nginx site, trigger an error if you want to test error logs) and check the remote server's syslog (usually /var/log/syslog or /var/log/messages) to see if the logs come through. If not, check your local rsyslog logs (tail -f /var/log/syslog) for any error messages about forwarding.

备注：内容来源于stack exchange，提问作者Lana Adel