Home / How To / How to install Rsyslog Server on Ubuntu 18.04 LTS

How to install Rsyslog Server on Ubuntu 18.04 LTS

Logs are very useful for analyzing and troubleshooting problems related to systems and applications in Linux. By default, all log files are in the / var / log directory in Linux-based operating systems. There are several types of log files including cron, kernel, users, security and most of these files are controlled by the Rsyslog service.

Rsyslog is a powerful and secure log processing system. The Rsyslog server receives logs over the network from multiple physical or virtualized servers and monitors the health of various services. The Rsyslog server allows you to monitor logs for other servers, network devices and remote applications from the centralized location.

In this tutorial we will explain how to configure the Rsyslog server on Ubuntu 1

8.04 server.


  • Two servers running Ubuntu 18.04.
  • A static IP address is configured on Rsyslog server machine and is configured on Rsyslog client machine.
  • A root password is configured on both server.

Installing Rsyslog

By default, Rsyslog is installed on Ubuntu 18.04 server. If it is not installed, you can install it by running the following command:

  apt-get install rsyslog -y 

After installing Rsyslog, you can check the version of Rsyslog with the following command:

  rsyslogd -v [19659011] You should get the following output: 

  rsyslogd 8.32.0, compiled with:
PLATFORM: x86_64-pc-linux-gnu
PLATFORM (lsb_release -d):
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug, slow code): No.
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system setting
Runtime Instrumentation (slow code): No.
uuid support: Yes
systemd support: Yes
Number of bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

You can also check the status of Rsyslog with the following command:

  systemctl status rsyslog 

You should see the following output:

? rsyslog.service - System logging service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor setting: enabled)
Active: active (running) since Tue 2019-10-22 04:28:55 UTC; 1min 31s ago
Document: man: rsyslogd (8)
RSyslog Documentation
Main PID: 724 (rsyslogd) Details: 4 (limit: 1114) CGroup: /system.slice/rsyslog.service ?? 724 / usr / sbin / rsyslogd -n Oct 22 04:28:53 ubuntu1804 systemd [1]: Start system logging service ... Oct 22 04:28:54 ubuntu1804 rsyslogd [724]: imuxsock: Acquired UNIX socket & # 39; / run / systemd / journal / syslog & # 39; (ex 3) from systemd. [v8.32.0] Oct 22 04:28:54 ubuntu1804 rsyslogd [724]: rsyslogd's group time was changed to 106 22 Oct 04:28:54 ubuntu1804 rsyslogd [724]: rsyslogds userid changed to 102 Oct 22 04:28:54 ubuntu1804 rsyslogd [724]: [origin software="rsyslogd" swVersion="8.32.0" x-pid="724" x-info="http://www.rsyslog.com"] start Oct 22 04:28:55 ubuntu1804 systemd [1]: Started system logging service.

Configure Rsyslog Server

Rsyslog is now installed and running. Then you need to configure it to run in a server mode. You can do this by editing the file /etc/rsyslog.conf.ebrit19659010vudnano /etc/rsyslog.conf.0219659011??First you must define the protocol either UDP or TCP or both.

To use both UDP and TCP connections simultaneously search and delimit the lines below:

  $ ModLoad imudp
$ UDPServerRun 514
$ ModLoad imtcp
$ InputTCPServerRun 514

Then define the specific subnet, IP, or domain to restrict access as shown below:

  $ AllowedSender TCP,,, * .example.com
$ Allowed Sending UDP,,, * .example.com

Next, you must create a template to tell the Rsyslog server how to store incoming syslog messages. Add the following lines just before the GLOBAL DIRECTIVES section:

  $ template remote incoming logs, "/ var / log /% HOSTNAME% /% PROGRAMNAME% .log"
*. *? remote incoming logs
& ~

Save and close the file when done. Then check the Rsyslog configuration for syntax errors with the following command:

  rsyslogd -f /etc/rsyslog.conf -N1 

You should see the following output:

  rsyslogd: version 8.32.0, config validation run (level 1) , master config /etc/rsyslog.conf
rsyslogd: End of configuration validation run. Goodbye.

Finally restart the Rsyslog service with the following command:

  systemctl restart rsyslog 

Now check that Rsyslog listens to TCP / UDP with the following command:

  netstat -4altunp | grep 514 

You should get the following output:

  tcp 0 0* LISTEN 1332 / rsyslogd
utp 0 0* 1332 / rsyslogd

Configuring the Rsyslog Client

The Rsyslog server is installed and configured to receive logs from remote hosts.

Now you need to configure the Rsyslog client to send syslog messages to the external Rsyslog server.

Log on to the client machine and open the Rsyslog configuration file as shown below:

  nano /etc/rsyslog.confebrit19659011achteAdd the following lines at the end of the file: 

  ## Enable sending of logs over UDP add the following line:

*. * @ 514

## Enable TCP logging transfer Add the following line:

*. * @@ 514

## Set the disk queue when the rsyslog server will be down:

$ ActionQueueFileName queue
$ ActionQueueMaxDiskSpace 1g
$ ActionQueueSaveOnShutdown on
$ ActionQueueType LinkedList
$ ActionResumeRetryCount -1

Save and close the file. Then restart the Rsyslog server to apply the configuration changes:

  systemtcl reboot rsyslog 

View Client Log

At this point, the Rsyslog client is configured to send its log to the Rsyslog server.

Now, log into the Rsyslog server and check the / var / log directory. You should see the record with the hostname of your client machines including multiple log files:

  ls /var/log/rsyslog-client/??19659011achteOutput:01019659014??CRON.log kernel.log rsyslogd-2039.log rsyslogd .log sudo.log wpa_supplicant.log


In the above article we learned how to install and configure the Rsyslog server on the Ubuntu 18.04 server. We also learned how to configure the Rsyslog client to send logs to the Rsyslog server. Feel free to ask me if you have any questions.

Source link