Home
Linux
Setup Rsyslog Server on Ubuntu 20.04 - How to do it ?

Setup Rsyslog Server on Ubuntu 20.04 - How to do it ?

Linux

Log files are the files that keep information about the system activities such as authorization and access attempts, startup and shutdown attempts, startup and shutdown of service, etc. There are different log files for different type of activities. Log files facilitate in troubleshooting and monitoring of system activities. Rsyslog is an open-source program for Linux OS that can be configured both as the logging server and the client.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our customers to perform related Rsyslog queries.

In this context, we shall look into setup the Rsyslog server on Ubuntu OS 20.04 using two Ubuntu machines. On one Ubuntu machine, we will configure Rsyslog as a logging server, and on the other machine; we will configure Rsyslog as a client which will send logs to the Rsyslog server.

How to install Rsyslog on Ubuntu 20.04 LTS Focal Fossa ?

1. Perform System Update

To begin, ensure that all your system packages are up-to-date by running the following apt commands in the terminal:

$ sudo apt update
$ sudo apt upgrade

2. Install Rsyslog on the system

By default, Rsyslog is now available on the Ubuntu base repository. Now we run the following command below to install the Rsyslog server package on your system:

$ sudo apt install rsyslog

Once the installation is done, start and enable the Rsyslog service:

$ sudo systemctl start rsyslog
$ sudo systemctl enable rsyslog
$ sudo systemctl status rsyslog

To verify the installation of Rsyslog and to view the status of its service, run the command below:

$ sudo systemctl status rsyslog

How to configure Rsyslog Server on Ubuntu ?

1. Configure Rsyslog

Now that Rsyslog is installed and running, we will now configure it as the logging server.

Edit the Rsyslog configuration file etc/rsyslog.conf:

$ sudo nano /etc/rsyslog.conf

Add the below lines in the Rsyslog configuration file:

# Receive syslog over UDP
module(load="imudp")
input(type="imudp" port="514")
# Receive syslog over TCP
module(load="imtcp")
input(type="imtcp" port="514")

Then we will create a template that will be used by Rsyslog for storing incoming syslog messages. To do so, add the below lines in the Rsyslog configuration file before the GLOBAL DIRECTIVES section:

$template remote-incoming-logs, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs

Then save and close the configuration file.

Now run the command below to restart the service of Rsyslog:

$ sudo systemctl restart rsyslog

You can also verify if Rsyslog is listening to TCP/UDP port 514 using the command below:

$ sudo ss -tunlp | grep 514

2. Configure Firewall

If your system has the firewall enabled on it, you will need to open TCP/UDP port 514. This port is used by Rsyslog server for receiving the logs from the remote client. Run these commands to open TCP/UDP port 514 in Ubuntu firewall:

$ sudo ufw allow 514/tcp
$ sudo ufw allow 514/udp

Then reload the firewall:

$ sudo ufw reload

How to configure Rsyslog Client on Ubuntu ?

Now on the other Ubuntu system, we will perform the configuration for Rsyslog client. This client will then send its logs to the Rsyslog logging server.

On the ubuntu machine that you want to configure as the Rsyslog client, first install Rsyslog (if not already installed):

$ sudo apt install rsyslog

Then edit the Rsyslog configuration file using this command:

$ sudo nano /etc/rsyslog.conf

Add the below lines in the end of the Rsyslog configuration file. Make sure to replace 192.168.72.201 with the IP address of your Rsyslog logging server:

#Send system logs to rsyslog server over RDP
*.* @192.168.72.201:514
#Send system logs to rsyslog server over TCP
*.* @@192.168.72.201:514
##Set disk queue to preserve your logs in case rsyslog server is experiencing any downtime
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

Save and close the Rsyslog configuration file.

Now run the command below to restart the service of Rsyslog:

$ sudo systemctl restart rsyslog

How to View Client's log files in Rsyslog Server ?

Once you are done with all the configurations described above, you can view the log files sent by the clients to the Rsyslog server. On your Rsyslog server machine, run the command below in the Terminal:

$ ls /var/log/

In the output of the above command, you will see a directory named the same as your client system hostname.

To view the log files of the client machine, list the contents of this directory:

$ sudo ls /var/log/directory

[Need help in configuring Rsyslog on your Linux system ? We can help you. ]

This article covers how to install and configure Rsyslog Server and Client on Ubuntu 20.04 LTS Focal Fossa system. In fact, Checking logs is an important activity to see what's happening on your Linux servers, especially when you are trying to locate an issue. In Rsyslog, the config files remain the same as Syslog. That simply means you can copy a syslog.conf file directly into rsyslog.conf and it will work.

The syslog-ng, FluentD, Logstash, GreyLog2, and Logagent, Filebeat are the other alternatives for Rsyslog.

Directory where different sorts of logs stored in a Linux system:

/var/log/syslog - Stores all startup messages, application startup messages etc. Practically stores all global system logs.
/var/log/cron - The Cron jobs are basically kind of scheduled and automated task created in the system, that runs periodically and repeatedly. You can see what this logs directory would store.
/var/log/kern.log - it stores kernel logs. No matter what logs they are. Event logs, errors, or warning logs.
/var/log/auth.log - Authentication logs.
/var/log.boot.log - System boot logs.
/var/log/mysql.d - Mysql logs.
/var/log/httpd - Apache logs directory.
/var/log/maillog - Mail server logs.