Configure Syslog Server on Ubuntu 22.04

by

This article is going to take you through how to configure syslog server on Ubuntu 22.04. Syslog is a protocol that allows network devices to communicate with a logging server using a common message format. It was created with the goal of making network device management simple. Under a variety of scenarios, devices can use a Syslog agent to send out notification messages.

How to Configure Syslog Server on Ubuntu 22.04

Rsyslog is the default syslogd on Debian/Ubuntu systems. it is a multi-threaded implementation of syslogd.

Rsyslog is already installed by default on Ubuntu system.

apt list rsyslog -a

Sample output;

Listing... Done
rsyslog/jammy,now 8.2112.0-2ubuntu2 amd64 [installed,automatic]

It is also started and and set to run on system boot. You can check status using the command below.

sudo systemctl status rsyslog

Sample output

● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.serv>
     Active: active (running) since Mon 2022-03-28 11>
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 760 (rsyslogd)
      Tasks: 4 (limit: 4607)
     Memory: 3.0M
        CPU: 296ms
     CGroup: /system.slice/rsyslog.service
             └─760 /usr/sbin/rsyslogd -n -iNONE

Mac 28 11:26:33 itnixpro systemd[1]: Starting System Lo>
Mac 28 11:26:34 itnixpro rsyslogd[760]: imuxsock: Acqui>
Mac 28 11:26:34 itnixpro rsyslogd[760]: rsyslogd's grou>
Mac 28 11:26:34 itnixpro systemd[1]: Started System Log>
Mac 28 11:26:34 itnixpro rsyslogd[760]: rsyslogd's user>
Mac 28 11:26:34 itnixpro rsyslogd[760]: [origin softwar>

If for some reasons Rsyslog package is not installed, then execute the command below to install it on Ubuntu;

sudo apt install rsyslog

Next, in order to configure syslog server on Ubuntu 22.04;

  • open the rssyslog configuration file using the following command.
sudo nano /etc/rsyslog.conf

Lets configure UDP and TCP protocols for logs reception by uncommenting the lines as shown below.

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
  • Next, we’ll create a new template that tells the rsyslog server where to save incoming messages. In the same config file above add the following after TCP configuration.
$template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?Incoming-logs
  • It should look like the file below.
#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local >
#module(load="immark")  # provides --MARK-- message c>

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

$template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
 *.* ?Incoming-logs

# provides kernel logging support and enable non-kern>
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################
  • Save and close the file then check the configuration file.
sudo rsyslogd -N1 -f /etc/rsyslog.conf
  • Next restart rsyslog service for changes to take effect using the command below.
sudo systemctl restart rsyslog
  • Verify that the rsyslog service is listening on the specified ports.
sudo ss -tunlp | grep 514

Sample output

udp   UNCONN 0      0            0.0.0.0:514        0.0.0.0:*    users:(("rsyslogd",pid=5806,fd=5))       
udp   UNCONN 0      0               [::]:514           [::]:*    users:(("rsyslogd",pid=5806,fd=6))       
tcp   LISTEN 0      25           0.0.0.0:514        0.0.0.0:*    users:(("rsyslogd",pid=5806,fd=7))       
tcp   LISTEN 0      25              [::]:514           [::]:*    users:(("rsyslogd",pid=5806,fd=8))
  • Allow rsyslog firewall port rules in case you’re using a firewall.
sudo ufw allow 514/tcp
sudo ufw allow 514/udp
  • Restart your firewall after that using the following command.
sudo ufw reload

Configure Rsyslog Client on Ubuntu 22.04

  • Next, set up your rsyslog client to send logs to a remote rsyslog server. Open the configuration file using the command below.
sudo nano /etc/rsyslog.conf
  • Then, to allow FQDN preservation, add the following.
$PreserveFQDN on
  • At the end, add a remote rsyslog server to enable to send logs over UDP.
*.* @Rsysog-server-IP:514
  • To send over TCP use @@ as shown below.
*.* @@Rsysog-server-IP:514
  • Set up a disk queue to save your logs in case the rsyslog server goes down by adding the following.
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
  • The rsyslog service should be restarted for changes to take effect.
sudo systemctl restart rsyslog

View Client log files on Rsyslog Server

  • According to the template that we set previously above, our log is stored on /var/log/remote-hostname/ directory e.g. list its content using the command below.
sudo ls /var/log/itnixpro/

Sample output

alternatives.log  installer
accounts-daemon.log
 acpid.log
 alsactl.log
 anacron.log
 apparmor.systemd.log
 apport.log
 at-spi2-registr.log
 at-spi-dbus-bus.desktop.log
 avahi-daemon.log
 colord.log
 cron.log
 dbus-daemon.log
 gdm-launch-environment].log
 gdm-password].log
 gnome-keyring-daemon.log
 gnome-keyring-pkcs11.desktop.log
 gnome-keyring-secrets.desktop.log
 gnome-keyring-ssh.desktop.log
 gnome-session-binary.log
 gnome-session.log
 gnome-shell.log
 goa-daemon.log
 gsd-color.log
 gsd-media-keys.log
 gsd-sharing.log
 kernel.log
 ModemManager.log
 mtp-probe.log
 networkd-dispatcher.log
 NetworkManager.log
 org.gnome.Shell.desktop.log
 PackageKit.log
'polkitd(authority=local).log'
 polkitd.log
 pulseaudio.log
 rsyslogd.log
 rtkit-daemon.log
 sh.log
 snapd-desktop-i.log
 snapd-desktop-integration.snapd-desktop-integration.log
 snapd.log
 spice-vdagent.log
 systemd-fsck.log
 systemd.log
 systemd-logind.log
 systemd-modules-load.log
 systemd-resolved.log
 systemd-udevd.log
 tracker-miner-f.log
 udisksd.log
 VGAuthService.log
 vmtoolsd.log
 whoopsie.log
 wpa_supplicant.log
 xbrlapi.desktop.log
  • To check log e.g. for systemd, type the command below.
 sudo tail -f /var/log/itnixpro/systemd.log

Sample output

2022-03-30T11:19:57+03:00 itnixpro systemd[1411]: Started GNOME XSettings service.
2022-03-30T11:19:57+03:00 itnixpro systemd[1411]: Reached target GNOME session X11 services.
2022-03-30T11:19:58+03:00 itnixpro systemd[1411]: Started Virtual filesystem metadata service.
2022-03-30T11:19:56+03:00 itnixpro systemd[1411]: Started Portal service.
2022-03-30T11:19:55+03:00 itnixpro systemd[1411]: Reached target GNOME session X11 services.
2022-03-30T11:19:55+03:00 itnixpro systemd[1411]: Starting GNOME XSettings service...
2022-03-30T11:19:55+03:00 itnixpro systemd[1411]: Reached target GNOME session X11 services.
2022-03-30T11:19:55+03:00 itnixpro systemd[1411]: Starting GNOME XSettings service...
2022-03-30T11:19:55+03:00 itnixpro systemd[1411]: Reached target GNOME session X11 services.
2022-03-30T11:19:55+03:00 itnixpro systemd[1411]: Starting GNOME XSettings service...
  • Congratulations, you’ve made it to the end of the article. You have learned how to configure syslog server on Ubuntu 22.04.

Read more about Rsyslog on man pages

Other Tutorials

Compress and Uncompress Files with zip Command in Linux

How to use netstat command in Linux

Install Bpytop System Monitor Tool on Ubuntu 22.04

System administrator | Software Developer | DevOps

Leave a Comment