We are using rsyslog to get the logs for RHEL 6,7,8 servers.
RHEL 7 and 8 is working fine and I am getting all logs on UDP/1514
RHEL 6 does not seem to work, we tried everything, dowgrading rpm, changing rsyslog.conf but with no luck. Firewall flows everything seems to be fine. Below is rsyslog conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# *.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
# authpriv.* /var/log/secure
# Log all the mail messages in one place.
# mail.* -/var/log/maillog
# Log cron stuff
# cron.* /var/log/cron
# Everybody gets emergency messages
# *.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
# uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
# local7.* /var/log/boot.log
# ### sample forwarding rule ###
#action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1" # unique name prefix for spool files
#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on" # save messages to disk on shutdown
#queue.type="LinkedList" # run asynchronously
#action.resumeRetryCount="-1" # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")
##################
#### TEMPLATES ###
##################
$template DYNmessages,"/var/log/messages"
$template DYNsudo,"/var/log/sudo.log"
$template DYNsecure,"/var/log/secure.log"
$template DYNerror,"/var/log/error.log"
$template DYNmaillog,"/var/log/maillog"
$template DYNcron,"/var/log/cron"
$template DYNspooler,"/var/log/spooler"
$template DYNboot,"/var/log/boot.log"
#$template DYNoracle,"/var/log/oracle.log"
$template DYNaudit,"/var/log/audit/audit.log"
#$template DYNpacemaker,"/var/log/pacemaker.log"
#$template DYNmysql,"/var/log/mysql.log"
$template DYNsophos,"/var/log/sophos.log"
$template DYNvas,"/var/log/vas.log"
$template DYNdnf,"/var/log/dnf.log"
$template DYNchrony,"/var/log/chrony/chrony.log"
#$RuleSet dfwcentral
if $programname == 'sudo' then ?DYNsudo
if $programname == 'audispd' then ?DYNaudit
if $programname == 'savd' then ?DYNsophos
if $programname == 'vasd' then ?DYNvas
if $programname == 'dnf' then ?DYNdnf
if $programname == 'chronyd' then ?DYNchrony
# if $syslogfacility-text == 'local6' and $programname == 'httpd' and not ($msg contains 'stats') and not ($msg contains 'NewRelic') then ?DYNgwaf
& stop
#Exclude syslog message from Oracle, audispd, httpd
:syslogtag, contains, "audispd" stop
#:syslogtag, contains, "sudo" stop
:syslogtag, contains,"lrmd" stop
:syslogtag, contains,"crmd" stop
:syslogtag, contains,"cib" stop
:syslogtag, contains,"pengine" stop
:syslogtag, contains,"mysql" stop
:syslogtag, contains, "Had" stop
:syslogtag, contains, "CmdServer" stop
:syslogtag, contains, "savd" stop
:syslogtag, contains, "vasd" stop
:syslogtag, contains, "vxvm" stop
:syslogtag, contains, "httpd" stop
:syslogtag, contains, "dnf" stop
#:syslogtag, contains, "chronyd" stop
kern.*,*.debug;*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;mail.none;authpriv.none;cron.none ?DYNmessages
kern.*,*.debug;*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;authpriv.*;mail.none;cron.none @x.x.x.x:1514
*.err ?DYNerror
authpriv.* ?DYNsecure
mail.* -?DYNmaillog
cron.* ?DYNcron
uucp,news.crit ?DYNspooler
local7.*