Log files are the files that keep information about the system activities such as authorization and access attempts, startup and shutdown attempts, startup and shutdown of service, etc. There are different log files for different type of activities. Log files facilitate in troubleshooting and monitoring of system activities. Rsyslog is an open-source program for Linux OS that can be configured both as the logging server and the client.
In today’s guide, we will setup the Rsyslog server on Ubuntu OS. We will be using two Ubuntu machines. On one Ubuntu machine, we will configure Rsyslog as a logging server, and on the other machine; we will configure Rsyslog as a client which will send logs to the Rsyslog server.
Configuring Rsyslog Server on Ubuntu
We will configure Rsyslog on one of our Ubuntu machine which we want to use as the logging server. Rsyslog comes pre-installed on the Ubuntu server. However, in case if it is missing due to any reason, you can install it by running this command:
$ sudo apt install rsyslog
During installation, it will prompt you with the y/n option for proceeding with the installation of Rsyslog. Press y and then Enter to proceed.
To verify the installation of Rsyslog and to view the status of its service, run the command below:
$ sudo systemctl status rsyslog
If the service is up and running, you will see the output as shown in the following screenshot.
Now that Rsyslog is installed and running, we will now configure it as the logging server.
Edit the Rsyslog configuration file etc/rsyslog.conf:
$ sudo nano /etc/rsyslog.conf
Add the below lines in the Rsyslog configuration file:
# Receive syslog over UDP module(load="imudp") input(type="imudp" port="514") # Receive syslog over TCP module(load="imtcp") input(type="imtcp" port="514")
Below is the screenshot of how the Rsyslog logging server configuration should look like:
Then we will create a template that will be used by Rsyslog for storing incoming syslog messages. To do so, add the below lines in the Rsyslog configuration file before the GLOBAL DIRECTIVES section:
$template remote-incoming-logs, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
Then save and close the configuration file.
Now run the command below to restart the service of Rsyslog:
$ sudo systemctl restart rsyslog
You can also verify if Rsyslog is listening to TCP/UDP port 514 using the command below:
$ sudo ss -tunlp | grep 514
You should receive the below output:
Configuring Firewall
If your system has the firewall enabled on it, you will need to open TCP/UDP port 514. This port is used by Rsyslog server for receiving the logs from the remote client. Run these commands to open TCP/UDP port 514 in Ubuntu firewall.
$ sudo ufw allow 514/tcp
$ sudo ufw allow 514/udp
Then reload the firewall:
$ sudo ufw reload
Configuring Rsyslog Client on Ubuntu
Now on the other Ubuntu system, we will perform the configuration for Rsyslog client. This client will then send its logs to the Rsyslog logging server.
On the ubuntu machine that you want to configure as the Rsyslog client, first install Rsyslog (if not already installed):
$ sudo apt install rsyslog
Then edit the Rsyslog configuration file using this command:
$ sudo nano /etc/rsyslog.conf
Add the below lines in the end of the Rsyslog configuration file. Make sure to replace 192.168.72.204 with the IP address of your Rsyslog logging server.
#Send system logs to rsyslog server over RDP *.* @192.168.72.204:514 #Send system logs to rsyslog server over TCP *.* @@192.168.72.204:514 ##Set disk queue to preserve your logs in case rsyslog server is experiencing any downtime
$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
Below is the screenshot of how the Rsyslog client configuration should look like:
Save and close the Rsyslog configuration file.
Now run the command below to restart the service of Rsyslog:
$ sudo systemctl restart rsyslog
View Client’s log files in Rsyslog Server
Once you are done with all the configurations described above, you can view the log files sent by the clients to the Rsyslog server. On your Rsyslog server machine, run the command below in the Terminal:
$ ls /var/log/
In the output of the above command, you will see a directory named the same as your client system hostname (ubuntu2 in our example).
To view the log files of the client machine, list the contents of this directory:
$ sudo ls /var/log/ubuntu2
That is all there is to it! In this guide, we covered how to configure Rsyslog on Ubuntu OS both as a logging server and as a client to send logs to the Rsyslog server. We also covered how to view the logs sent by the clients to the logging server.
Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications including CCNA RS, SCP, and ACE. As an IT engineer and technical author, he writes for various websites.
