Rsyslog is an open-source logging program that uses the IP network to send all log files to a centralized log server. It is an improved version of Syslog on Linux. It allows system administrators to monitor all servers from a single location.
Rsyslog works in a client/server model that receives logs from remote clients on port 514 or any configured custom port over the TCP/UDP protocol. It also supports databases ( MySQL, PostgreSQL ) that are used to store logs.
In this guide, we will learn how to install and configure Rsyslog on Debian 10/11
Step 1: Install Rsyslog server
To start off, install the Rsyslog package from Debian Repository on your server machine. Run:
$ sudo apt-get install rsyslog -y
Once the installation is complete, check that Rsyslog is running correctly as shown:
$ sudo systemctl status rsyslog
Rsyslog service is now up and running on your server machine.
Step 2: Configure Rsyslog server
Now that it is running, configure Rsyslog to run as a server on your Debian system. Open the configuration file that is /etc/rsyslog.conf.
$ sudo vim /etc/rsyslog.conf
Locate the lines below and uncomment them for UDP and TCP log reception from remote clients.
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514")
Next, we need to specify the template that the Rsyslog daemon will use to store incoming logs from client systems. Append the following lines at the end of your configuration file.
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?remote-incoming-logs
Restart rsyslog for the changes to take effect.
$ sudo systemctl restart rsyslog
Rsyslog listens on port 514. You can modify the default port in the configuration file. To verify that the rsyslog daemon is listening on port 514 execute the following ss command.
$ sudo ss -tunlp | grep 514
Step 3: Configure Firewall for rsyslog
The rsyslog daemon is now configured on the server. If you are behind the UFW firewall, allow port 514 so that the server can receive log messages from clients. Execute the commands:
$ sudo ufw allow 514/tcp $ sudo ufw allow 514/udp
Restart the firewall for the new rules to be applied. Run:
$ sudo ufw reload
Step 4: Configure Rsyslog client
Next, configure the Rsyslog client to send log messages to the Rsyslog server. Ensure RSyslog is correctly installed on your client machine.
First, open the configuration file
$ sudo nano /etc/rsyslog.conf
Copy and paste the lines below at the end of the file:
#Enable sending system logs over UDP to rsyslog server *.* @rsyslog-server-ip:514 #Enable sending system logs over TCP to rsyslog server *.* @@rsyslog-server-ip:514
The configuration above directs the client to send log files to the rsyslog server using both TCP and UDP protocols. Replace rsyslog-server-ip with your server ip address.
If the remote server goes down and you need to keep your logs, you can set the disk queue buffer by adding the below lines to the client configuration file.
##Set disk queue when rsyslog server will be down: $ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
Save and close the file. Reload the rsyslog service for the changes to be applied.
$ sudo systemctl restart rsyslog
Step 5: View Clients log files
Rsyslog log files are kept in the /var/log/ folder on your server. To view the client’s logs, use the following ls command:
$ ls /var/log/
By default, the client’s log files are stored in a folder named after the hostname of the client system. In my case, the client system has the hostname debian.
Next, run the following command to view the logs contained in the client’s directory.
$ sudo ls -l /var/log/debian/
You can also view logs in real-time on your terminal. Let’s view the logs from the root user. Run the command:
$ sudo tail -f /var/log/debian/sudo.log
The rsyslog server is now configured on Debian 11. You can now configure several clients to send log messages to the centralized server.