If you’re managing a bunch of servers, keeping track of all those logs can get messy fast. That’s where an rsyslog server comes in handy! Rsyslog is like your personal log collector, helping you gather, process, and filter logs from various systems in one spot. In this guide, we’ll walk you through the steps to install and configure an rsyslog server on Ubuntu 22.04. Whether you’re looking to keep an eye on your network, troubleshoot issues, or just get a handle on all that log data, setting up rsyslog is a great place to start. Let’s dive in!
To begin, ensure that you have a VPSie account set up. If not, create one first. Then, deploy two Ubuntu 22.04 servers, tailored to your specific requirements. One server will be designated as the syslog server, and the other will be used as the client.
Setting Up the rsyslog Server
Ensure that your server is up to date:
sudo apt update
sudo apt upgrade -y
Install the rsyslog package from the default repositories:
sudo apt install rsyslog -y
Edit the rsyslog configuration file to enable the server to accept logs from remote clients. Open the configuration file:
sudo nano /etc/rsyslog.conf
Find and uncomment the following lines to enable UDP and TCP listeners:
module(load="imudp") # UDP listener
input(type="imudp" port="514")
module(load="imtcp") # TCP listener
input(type="imtcp" port="514")
If you would like to limit access from to specific subnet, IP or domain, add like below. Replace IP-SUBNET with the appropriate subnet address for the incoming logs.
AllowedSender TCP, 127.0.0.1, IP-SUBNET/24, *.example.com
AllowedSender UDP, 127.0.0.1, IP-SUBNET/24, *.example.com
You can add above line after input(type=”imtcp” port=”514″) line for TCP and do the same for UDP as well. Remember to substitute given values with correct ones.
Let’s create a template that will instruct rsyslog server how to store incoming syslog messages. Add the template just before GLOBAL DIRECTIVES section:
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~
The & ~ instructs rsyslog daemon to store the log message only to a specified file. Other variables that can be used include:
%syslogseverity%, %syslogfacility%, %timegenerated%, %HOSTNAME%, %syslogtag%, %msg%, %FROMHOST-IP%, %PRI%, %MSGID%, %APP-NAME%, %TIMESTAMP%, %$year%, %$month%, %$day%
Restart rsyslog service for the changes to take effect:
sudo systemctl restart rsyslog
Ensure rsyslog starts automatically on system boot:
sudo systemctl enable rsyslog
Confirm if the service is listening on configured ports:
ss -tunelp | grep 514
Configuring the rsyslog Client
Update the client server to ensure it has the latest packages:
sudo apt update
sudo apt upgrade -y
Install rsyslog on the client server:
sudo apt install rsyslog -y
Edit the rsyslog configuration file on the client to specify the log server’s IP address:
Open the configuration file:
sudo nano /etc/rsyslog.conf
Add remote rsyslog server at the end:
*.* @SERVER_IP:514
For TCP (more reliable but requires additional configuration), use:
*.* @@SERVER_IP:514
Restart the rsyslog service to apply the configuration changes:
sudo systemctl restart rsyslog
Ensure rsyslog starts on boot:
sudo systemctl enable rsyslog
Check the log file on the server to ensure the test log entry is recorded.
You have successfully installed and configured rsyslog on Ubuntu 22.04. Your server is now set up to receive and store logs from the client, centralizing your log management. You can further customize the configuration based on your specific requirements.