Rsyslog is an open-source logging program that uses the IP network to send all log files to a centralized log server. It is an improved version of Syslog on Linux. It allows system administrators to monitor all servers from a single location.
Rsyslog works in a client/server model that receives logs from remote clients on port 514 or any configured custom port over the TCP/UDP protocol. It also supports databases ( MySQL, PostgreSQL ) that are used to store logs.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Rsyslog configuration queries on Linux system.
In this context, we shall look into how to install and configure Rsyslog on Debian 10 / 11.
1. Install Rsyslog server
To start off, install the Rsyslog package from Debian Repository on your server machine. Execute the below command:
$ sudo apt-get install rsyslog -y
Once the installation is complete, check that Rsyslog is running correctly as displayed below:
$ sudo systemctl status rsyslog
If everything is alright then Rsyslog service is now up and running on your server machine.
2. Configure Rsyslog server
Now that it is running, configure Rsyslog to run as a server on your Debian system. Open the configuration file that is /etc/rsyslog.conf:
$ sudo vim /etc/rsyslog.conf
Locate the lines below and uncomment them for UDP and TCP log reception from remote clients:
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
Next, we need to specify the template that the Rsyslog daemon will use to store incoming logs from client systems. Append the following lines at the end of your configuration file:
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
Then, Restart rsyslog for the changes to take effect:
$ sudo systemctl restart rsyslog
Rsyslog listens on port 514. You can modify the default port in the configuration file. To verify that the rsyslog daemon is listening on port 514 execute the following ss command:
$ sudo ss -tunlp | grep 514
3. Configure Firewall for rsyslog
The rsyslog daemon is now configured on the server. If you are behind the UFW firewall, allow port 514 so that the server can receive log messages from clients. Execute the commands:
$ sudo ufw allow 514/tcp
$ sudo ufw allow 514/udp
Restart the firewall for the new rules to be applied. Execute the command:
$ sudo ufw reload
4. Configure Rsyslog client
Next, configure the Rsyslog client to send log messages to the Rsyslog server. Ensure RSyslog is correctly installed on your client machine.
First, open the configuration file:
$ sudo nano /etc/rsyslog.conf
Copy and paste the lines below at the end of the file:
#Enable sending system logs over UDP to rsyslog server
*.* @rsyslog-server-ip:514
#Enable sending system logs over TCP to rsyslog server
*.* @@rsyslog-server-ip:514
The configuration above directs the client to send log files to the rsyslog server using both TCP and UDP protocols. Replace rsyslog-server-ip with your server ip address.
If the remote server goes down and you need to keep your logs, you can set the disk queue buffer by adding the below lines to the client configuration file:
##Set disk queue when rsyslog server will be down:
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
Save and close the file. Reload the rsyslog service for the changes to be applied:
$ sudo systemctl restart rsyslog
5. View Clients log files
Rsyslog log files are kept in the /var/log/ folder on your server. To view the client’s logs, use the following ls command:
$ ls /var/log/
By default, the client's log files are stored in a folder named after the hostname of the client system. In my case, the client system has the hostname Debian.
Next, run the following command to view the logs contained in the client's directory:
$ sudo ls -l /var/log/debian/
You can also view logs in real-time on your terminal. Let’s view the logs from the root user. Run the below command:
$ sudo tail -f /var/log/debian/sudo.log
This article covers how to set up the Rsyslog server on Debian 11. In fact, Rsyslog is a free and open-source logging software that forwards all log files to the centralized log server through the IP network. It helps system administrators to keep an eye on all servers from the central point. Rsyslog works in a client/server model, it receives logs from the remote client on port 514 over the TCP/UDP protocol.
How to Install Rsyslog on any Linux distribution ?
1. First, you will need to install the Rsyslog server package on the server machine. You can install it in Debian / Ubuntu using the following command:
$ apt-get install rsyslog -y
In RHEL based distros like CentOS:
$ sudo yum install rsyslog
2. After the installation, verify the Rsyslog status using the following command:
$ systemctl status rsyslog