Logs are very useful for analyzing and troubleshooting problems related to systems and applications in Linux. By default, all log files are in the / var / log directory in Linux-based operating systems. There are several types of log files including cron, kernel, users, security and most of these files are controlled by the Rsyslog service.
Rsyslog is a powerful and secure log processing system. The Rsyslog server receives logs over the network from multiple physical or virtualized servers and monitors the health of various services. The Rsyslog server allows you to monitor logs for other servers, network devices and remote applications from the centralized location.
In this tutorial we will explain how to configure the Rsyslog server on Ubuntu 1
- Two servers running Ubuntu 18.04.
- A static IP address 192.168.0.101 is configured on Rsyslog server machine and 192.168.0.102 is configured on Rsyslog client machine.
- A root password is configured on both server.
By default, Rsyslog is installed on Ubuntu 18.04 server. If it is not installed, you can install it by running the following command:
apt-get install rsyslog -y
After installing Rsyslog, you can check the version of Rsyslog with the following command:
rsyslogd -v  You should get the following output:rsyslogd 8.32.0, compiled with: PLATFORM: x86_64-pc-linux-gnu PLATFORM (lsb_release -d): FEATURE_REGEXP: Yes GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug, slow code): No. 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes memory allocator: system setting Runtime Instrumentation (slow code): No. uuid support: Yes systemd support: Yes Number of bits in RainerScript integers: 64 See http://www.rsyslog.com for more information.
You can also check the status of Rsyslog with the following command:
systemctl status rsyslog
You should see the following output:? rsyslog.service - System logging service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor setting: enabled) Active: active (running) since Tue 2019-10-22 04:28:55 UTC; 1min 31s ago Document: man: rsyslogd (8)
Configure Rsyslog Server
Rsyslog is now installed and running. Then you need to configure it to run in a server mode. You can do this by editing the file /etc/rsyslog.conf.ebrit19659010vudnano /etc/rsyslog.conf.0219659011??First you must define the protocol either UDP or TCP or both.
To use both UDP and TCP connections simultaneously search and delimit the lines below:$ ModLoad imudp $ UDPServerRun 514 $ ModLoad imtcp $ InputTCPServerRun 514
Then define the specific subnet, IP, or domain to restrict access as shown below:$ AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, * .example.com $ Allowed Sending UDP, 127.0.0.1, 192.168.0.0/24, * .example.com
Next, you must create a template to tell the Rsyslog server how to store incoming syslog messages. Add the following lines just before the GLOBAL DIRECTIVES section:$ template remote incoming logs, "/ var / log /% HOSTNAME% /% PROGRAMNAME% .log" *. *? remote incoming logs & ~
Save and close the file when done. Then check the Rsyslog configuration for syntax errors with the following command:
rsyslogd -f /etc/rsyslog.conf -N1
You should see the following output:rsyslogd: version 8.32.0, config validation run (level 1) , master config /etc/rsyslog.conf rsyslogd: End of configuration validation run. Goodbye.
Finally restart the Rsyslog service with the following command:
systemctl restart rsyslog
Now check that Rsyslog listens to TCP / UDP with the following command:
netstat -4altunp | grep 514
You should get the following output:tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1332 / rsyslogd utp 0 0 0.0.0.0:514 0.0.0.0:* 1332 / rsyslogd
Configuring the Rsyslog Client
The Rsyslog server is installed and configured to receive logs from remote hosts.
Now you need to configure the Rsyslog client to send syslog messages to the external Rsyslog server.
Log on to the client machine and open the Rsyslog configuration file as shown below:
nano /etc/rsyslog.confebrit19659011achteAdd the following lines at the end of the file:## Enable sending of logs over UDP add the following line: *. * @ 192.168.0.101: 514 ## Enable TCP logging transfer Add the following line: *. * @@ 192.168.0.101: 514 ## Set the disk queue when the rsyslog server will be down: $ ActionQueueFileName queue $ ActionQueueMaxDiskSpace 1g $ ActionQueueSaveOnShutdown on $ ActionQueueType LinkedList $ ActionResumeRetryCount -1
Save and close the file. Then restart the Rsyslog server to apply the configuration changes:
systemtcl reboot rsyslog
View Client Log
At this point, the Rsyslog client is configured to send its log to the Rsyslog server.
Now, log into the Rsyslog server and check the / var / log directory. You should see the record with the hostname of your client machines including multiple log files:
ls /var/log/rsyslog-client/??19659011achteOutput:01019659014??CRON.log kernel.log rsyslogd-2039.log rsyslogd .log sudo.log wpa_supplicant.log
In the above article we learned how to install and configure the Rsyslog server on the Ubuntu 18.04 server. We also learned how to configure the Rsyslog client to send logs to the Rsyslog server. Feel free to ask me if you have any questions.