Configure Syslog Server on Rocky Linux 8

by

This article is going to take you through on how to configure syslog server on Rocky Linux 8. Syslog is a logging protocol that connects network devices to a logging server using a standard message format. It was designed to make network device management as straightforward as possible. A Syslog agent can be used by devices to send out notifications in a variety of scenarios.

How to Configure Syslog Server on Rocky Linux 8

On Rocky Linux systems, the default syslogd is Rsyslog.

Rsyslog is already installed by default and it should be running already

systemctl status rsyslog

Sample output

● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-03-29 14:51:00 EAT; 43min ago
     Docs: man:rsyslogd(8)
           https://www.rsyslog.com/doc/
 Main PID: 1410 (rsyslogd)
    Tasks: 3 (limit: 23385)
   Memory: 12.6M
   CGroup: /system.slice/rsyslog.service
           └─1410 /usr/sbin/rsyslogd -n

Mar 29 14:50:58 localhost.localdomain systemd[1]: Starting System Logging Service...
Mar 29 14:51:00 localhost.localdomain rsyslogd[1410]: [origin software="rsyslogd" swVersion="8.2102.0-5.el8" x-pid="1410" x-info="https://www.rsyslog.com"] start
Mar 29 14:51:00 localhost.localdomain systemd[1]: Started System Logging Service.
Mar 29 14:51:00 localhost.localdomain rsyslogd[1410]: imjournal: journal files changed, reloading...  [v8.2102.0-5.el8 try https://www.rsyslog.com/e/0 ]
Mar 29 14:51:04 localhost.localdomain rsyslogd[1410]: imjournal: journal files changed, reloading...  [v8.2102.0-5.el8 try https://www.rsyslog.com/e/0 ]
  • Next, run the following command to open the config file and configure the Rsyslog server on Rocky Linux to receive logs.
sudo nano /etc/rsyslog.conf
  • Rsyslog server can be configured to receive logs via TCP or UDP protocols.
  • In this example setup, let’s configure Rsyslog server on Rocky Linux to receive logs using both protocols.
  • Thus, uncomment the lines below by removing # to enable the UDP and TCP protocols to allow Rsyslog to receive logs.

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
  • After the changes, these lines should look like;
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
  • Next, you need to create template that instructs rsyslog server where to save incoming messages by adding settings below just above GLOBAL DIRECTIVES in the config file as shown below.
## Remote Logs Template
$template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?Incoming-logs

After adding the file should look like the example below.

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

## Remote Logs Template
$template Incoming-logs,"/var/log/remote-logs/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?Incoming-logs

#### GLOBAL DIRECTIVES ####
  • Save and exit the file.
  • Create remote logs directory specified on the template;
mkdir /var/log/remote-logs
  • Check the Rsyslog configuration file if its ok after you’ve saved and closed it.
sudo rsyslogd -N1 -f /etc/rsyslog.conf
  • The rsyslog service must be restarted for the changes to take effect.
sudo systemctl restart rsyslog
  • Rsyslog witll then open UDP and TCP port 524. You can confirm using the following command.
sudo ss -4tunlp | grep 514

Sample output

udp   UNCONN 0      0                 0.0.0.0:514        0.0.0.0:*    users:(("rsyslogd",pid=5759,fd=4))                                             
udp   UNCONN 0      0                    [::]:514           [::]:*    users:(("rsyslogd",pid=5759,fd=5))                                             
tcp   LISTEN 0      25                0.0.0.0:514        0.0.0.0:*    users:(("rsyslogd",pid=5759,fd=6))                                             
tcp   LISTEN 0      25                   [::]:514           [::]:*    users:(("rsyslogd",pid=5759,fd=7))
  • Next enable rsyslog firewall port rules if you’re using a firewall.
firewall-cmd --permanent --add-port=514/tcp
firewall-cmd --permanent --add-port=514/udp
  • Then reload the firewall with the command below.
firewall-cmd --reload

View log files in Rsyslog Server

  • Our log is kept in the /var/log/remote-hostname/ directory according to the template that we set above previously.

For example, even the local server itself will also start writing logs to the remote-logs directory defined in the template;

sudo ls /var/log/remote-logs/

In our setup, rocky8 folder is created;

Check the logs;

ls -1 /var/log/remote-logs/rocky8/
dbus-daemon.log
NetworkManager.log
rsyslogd.log
systemd.log
  • To check the logs, e.g. for systemd type the command below.
 sudo tail -f /var/log/remote-logs/rocky8/systemd.log

Sample output

2022-03-30T21:39:53.696323+03:00 rocky8 systemd[1]: rsyslog.service: Succeeded.
2022-03-30T21:39:53.696415+03:00 rocky8 systemd[1]: Stopped System Logging Service.
2022-03-30T21:39:53.696461+03:00 rocky8 systemd[1]: Starting System Logging Service...
2022-03-30T21:39:53.723013+03:00 rocky8 systemd[1]: Started System Logging Service.
2022-03-30T21:41:03.967785+03:00 rocky8 systemd[1]: Starting Cleanup of Temporary Directories...
2022-03-30T21:41:04.650152+03:00 rocky8 systemd[1]: systemd-tmpfiles-clean.service: Succeeded.
2022-03-30T21:41:04.650265+03:00 rocky8 systemd[1]: Started Cleanup of Temporary Directories.
2022-03-30T21:43:04.253046+03:00 rocky8 systemd[1]: Starting Network Manager Script Dispatcher Service...
2022-03-30T21:43:04.282576+03:00 rocky8 systemd[1]: Started Network Manager Script Dispatcher Service.
2022-03-30T21:43:14.801773+03:00 rocky8 systemd[1]: NetworkManager-dispatcher.service: Succeeded.
  • Similarly, you can configure remote systems to sent logs to Rsyslog Server on Rocky Linux;

The logs should be received on the Rsyslog server remote logs folder.

  • You’ve made it to the end of the article, Cheers. You have learned how to configure syslog server on Rocky Linux 8.

Read more about Rocky Linux

Other Tutorials

Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry with Nagios

Install Wazuh Server with ELK Stack on Debian 11

Integrate Prometheus with Grafana for Monitoring

System administrator | Software Developer | DevOps

Leave a Comment