This article is going to take you through on how to configure syslog server on Debian 11. Syslog is a protocol that uses a common message format to allow network devices to connect with a logging server. It was made with the intention of making network device management as simple as possible. Devices can use a Syslog agent to send out notification messages in a variety of instances.
How to Configure Syslog Server on Debian 11
On Debian/Ubuntu systems, Rsyslog is the default syslogd. Rsyslog package is already installed by default as well.
apt list rsyslog -aSample output;
Listing... Done
rsyslog/stable,now 8.2102.0-2 amd64 [installed]
rsyslog/stable 8.2102.0-2 i386- It is also started and and set to run on system boot. You can check status using the command below.
sudo systemctl status rsyslogSample output
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; ena>
Active: active (running) since Tue 2022-03-29 13:17:39 E>
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 456 (rsyslogd)
Tasks: 4 (limit: 7038)
Memory: 8.2M
CPU: 221ms
CGroup: /system.slice/rsyslog.service
└─456 /usr/sbin/rsyslogd -n -iNONE
Mar 29 13:17:38 debian systemd[1]: Starting System Logging Se>
Mar 29 13:17:39 debian systemd[1]: Started System Logging Ser>
Mar 29 13:17:39 debian rsyslogd[456]: imuxsock: Acquired UNIX>
Mar 29 13:17:39 debian rsyslogd[456]: [origin software="rsysl>
Mar 29 13:17:40 debian systemd[1]: rsyslog.service: Sent sign>
Mar 29 13:27:39 debian rsyslogd[456]: [origin software="rsysl>
- Run the following command to open the syslog configuration file.
sudo nano /etc/rsyslog.confNext uncomment the lines below to configure the UDP and TCP protocols for log reception.
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514")
- We’ll create a new template that instructs the rsyslog server where to save incoming messages. Add the following after below TCP config.
$template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?Incoming-logsIt should look like the file below.
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") $template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?Incoming-logs ########################### #### GLOBAL DIRECTIVES #### ###########################
- After you’ve saved and closed the file, go ahead and inspect the configuration file using the following command.
sudo rsyslogd -N1 -f /etc/rsyslog.conf- For changes to take effect, use the command below to restart the rsyslog service.
sudo systemctl restart rsyslog- Check that the rsyslog service is listening on the ports specified.
sudo ss -tunlp | grep 514Sample output
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=3205,fd=6))
udp UNCONN 0 0 [::]:514 [::]:* users:(("rsyslogd",pid=3205,fd=7))
tcp LISTEN 0 25 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=3205,fd=8))
tcp LISTEN 0 25 [::]:514 [::]:* users:(("rsyslogd",pid=3205,fd=9))
- If you’re using a firewall, enable rsyslog firewall port rules.
sudo ufw allow 514/tcp
sudo ufw allow 514/udp- After that, use the following command to restart your firewall.
sudo ufw reloadConfigure Rsyslog Client on Debian 11
- Set up your rsyslog client to send logs to a remote rsyslog server; in this example, I’ll stick with Debian 11. Using the command below, open the configuration file.
sudo nano /etc/rsyslog.conf- Allow FQDN preservation by including the following in the config file.
$PreserveFQDN on- Configure a remote rsyslog server to send logs over UDP by adding the following line.
*.* @Rsysog-server-IP:514- Use double @ to send over TCP, as shown below.
*.* @@Rsysog-server-IP:514- Next set up a disk queue to save logs in case the rsyslog server goes down by adding the following lines.
$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
- For changes to take effect, the rsyslog service must be restarted.
sudo systemctl restart rsyslogView Client log files in Rsyslog Server
- Our log is stored in the
/var/log/remote-hostname/directory according to the template we set earlier, e.g.
cd /var/log/debian/- Type the command below to check the log, e.g. we’ll check logs for boot.
sudo tail -f /var/log/debian/systemd.logSample output
[ OK ] Finished Permit User Sessions. 2022-03-29T13:40:04.966469+03:00 debian systemd[1]: rsyslog.service: Succeeded. 2022-03-29T13:40:04.967462+03:00 debian systemd[1]: Stopped System Logging Service. 2022-03-29T13:40:04.970601+03:00 debian systemd[1]: Starting System Logging Service... 2022-03-29T13:40:04.981814+03:00 debian systemd[1]: Started System Logging Service. 2022-03-29T13:41:35.401652+03:00 debian systemd[999]: Started Application launched by gnome-shell. 2022-03-29T13:41:40.778750+03:00 debian systemd[1]: Starting Hostname Service... 2022-03-29T13:41:40.843746+03:00 debian systemd[1]: Started Hostname Service. 2022-03-29T13:42:10.886061+03:00 debian systemd[1]: systemd-hostnamed.service: Succeeded. 2022-03-29T13:42:14.115768+03:00 debian systemd[999]: app-gnome-gnome\x2dcontrol\x2dcenter-3244.scope: Succeeded. 2022-03-29T13:42:14.116048+03:00 debian systemd[999]: app-gnome-gnome\x2dcontrol\x2dcenter-3244.scope: Consumed 2.955s CPU time.
- You’ve made it to the end of the article, congrats. You have learned how to configure syslog server on Debian 11.
Read more about Rsyslog on man pages
Other Tutorials
Monitor Windows system metrics using Prometheus node exporter
