Centralized logging with rsyslog

Configuring the server to receive logs

Edit server config file:

sudo nano /etc/rsyslog.conf

Find the following lines:

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

Uncomment second, to use TCP connection.

Don't forget to enable port on firewall.

Check if port is open:

sudo ss -tulnp | grep "rsyslog"

To change default log storage location

In order not to store (and mix) all logs in /var/log , use this, defined in main conf file ( /etc/rsyslog.conf ):

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~

The $template RemoteLogs directive instructs Rsyslog to store all incoming log entries in the location that is defined by the third parameter.

In our case, the remote logs will continue to be stored in /var/log directory, but each client will have its own subdirectory with a name equivalent to client hostname.

This subdirectory will store each log entry in a file that matches the client program that generated it.

On the following line, the . ?RemoteLogs directive applies the RemoteLogs configuration rule at all facilities with all priority levels (in other words, to all logs).

Finally, the & ~ directive defines that Rsyslog stops processing log input after it is stored to a file defined in previous lines.

The default configuration will overwrite the previous rule without this line.

•

Forwarding logs from an Rsyslog client

edit /etc/rsyslog.d/50-default.conf

Add:

*.* @@<your_rsyslog_server_ip_address>:514

If you use @ it will use UDP port, @@ will use TCP port

 such as cron. @@0.0.0.0:514 or apache2.* @@0.0.0.0:514.

You can also forward logs to more than one server

*.* @@0.0.0.0:514

*.* @@192.168.122.235

cron.* @@192.168.122.237:514