Configure a syslog server with Rsyslog on Ubuntu

A syslog server represents a central log monitoring point in a network, to which all kinds of devices including Linux or W indows servers, routers, switches or any other hosts can send their logs over network. By setting-a syslog server, you can filter and consolidate logs from different hosts and devices to a single location , so the can view and archive important log messages more easily.

In this tutorial, we cover how to configure a centralized the syslog server using rsyslog on Linux. Before we go into the details, it's instructive to go through syslog standard first.

Basic Syslog Standard

When logs is collected with syslog mechanism, three important things must is taken into consideration:

• Facility Level: What type of processes to monitor
• Severity: What type of log messages to collect
• Destination: where to send or record log messages

The facility levels define a-to categorize internal system processes. Some of the common standard facilities in Linux is:

• Auth: Messages related to authentication (login)
• Cron: messages related to scheduled processes or applications
• Daemon: messages related to daemons (internal servers)
• Kernel: messages related to the kernel
• Mail: messages related to internal mail servers
• syslog: messages related to the syslog daemon itself
• LPR: messages related to print servers
• LOCAL0-LOCAL7: messages defined by user (Local7 was usually used by Cisco and Windows servers)

The severity (priority) levels is standardized, and defined by using standard abbreviation and a assigned number with Nu Mber 7 being the highest level of all. These levels is:

• Emerg: Emergency-0
• Alert: Alerts-1
• Crit: Critical-2
• ERR: Errors-3
• warn: Warnings-4
• Notice: Notification-5
• Info: Information-6
• Debug: Debugging–7

Finally, the destination statement enforces a syslog client to perform one of three following tasks: (1) Save log messages On a local file, (2) route them to a remote syslog server over TCP/UDP, or (3) send them to stdout such as a console.

In rsyslog, syslog configuration was structured based on the following schema.

[Facility-level]. [Severity-level]  [Destination]

Configure Rsyslog on Ubuntustep one:initial System Requirements

To set-a Linux host as a central log server, we need to create a SEPARATE/VAR partition, and allocate a large enough d ISK size or create a LVM special volume group. That is, the syslog server would be a able to sustain the exponential growth of collected logs over time.

Step two:enable Rsyslog Daemon

rsyslog Daemon comes pre-installed on modern Linux distributions, but was not enabled by default. To enableRsyslog daemon to receive external messages, edit the its configuration file located in/etc/rsyslog.conf.

Once the file is opened for editing, search and uncomment the below-lines by removing the-from the beginning of Lines.

$ModLoad imudp

$UDPServerRun 514

This would enable Rsyslog daemon to receive log messages on UDP Port 514. The UDP is-to-be-faster than TCP, but does does provide reliability on data flow the same-as TCP does. If you need to reliable delivery, you can enable TCP by uncommenting the following lines.

$ModLoad imtcp

$InputTCPServerRun 514

Note that both TCP and UDP can is set on the server simultaneously to listen on TCP/UDP connections. Step three:create a Template for Log Receipt

In the next step we need to create a template for remote messages, and tell rsyslog daemon How to record messages Received from the other client machines.

Open/etc/rsyslog.conf with a text editor, and append the following template before the GLOBAL directives Block:

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *

*.*  ?RemoteLogs

& ~

This template needs a little explanation. The $template remotelogs directive ("Remotelogs" string can be changed to any other descriptive name) forces rsyslog Daemon to write log messages to separate local log files in/var/log/, where log file names is defined based on the H Ostname of the remote sending machine as well as the remote application that generated the logs. The second line ("* *? Remotelogs ") implies that we apply the Remotelogs template to all received logs.

The "& ~" sign represents a redirect rule, and was used to tell Rsyslog daemon to stop processing log messages Further, and not write them locally. If This redirection isn't used, all the remote messages would being also written on local log files besides the log files de Scribed above, which means they would practically be written twice. Another consequence of using this rule is, the syslog server's own log messages would only being written to dedicated FIL Es named after machine ' s hostname.

If you want, you can direct log messages with a specific facility or severity level to this new template using the Followi ng schema.

[Facility-level]. [Severity-level]    ? Remotelogs

For example:

Direct all internal authentication messages of all the levels to Remotelogs template:

authpriv.*   

Direct informational messages generated by all system processes, except mail, authentication and cron messages to Remotelo GS Template:

*.info,mail.none,authpriv.none,cron.none    ? Remotelogs

If we want all received messages from remote clients written to a single file named after their IP address, you can use th E following template. We assign a new name "Iptemplate" to the This template.

$template iptemplate, "/var/log/%fromhost-ip%.log" * *  

rsyslog Daemon and edited its configuration file, we need to restart the daemon.

$ sudo service rsyslog restart

Rsyslog netstat command.

$ sudo netstat-tulpn | grep rsyslog

The output may look like the following:

TCP 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 3267/rsyslogd
TCP6 0 0::: 514:::* LISTEN 3267/RSYSLOGD
UDP 0 0 0.0.0.0:514 0.0.0.0:* 3267/rsyslogd
UDP6 0 0::: 514:::* 3267/rsyslogd

Step Four:check Log File

If you receive the remote log file, it should be located at/var/log.

Reference

• How to configure a syslog server with Rsyslog on Linux

Configure a syslog server with Rsyslog on Ubuntu