How to Setup Rsyslog Server on Debian 11

Rsyslog is a free and open-source logging software that forwards all log files to the centralized log server through the IP network. It helps system administrators to keep an eye on all servers from the central point. Rsyslog works in a client/server model, it receives logs from the remote client on port 514 over the TCP/UDP protocol.

In this post, we will show you how to set up the Rsyslog server on Debian 11.

Prerequisites

  • Two servers running Debian 11.
  • A root password is configured on the server.

Install Rsyslog

First, you will need to install the Rsyslog server package on the server machine. You can install it using the following command:

apt-get install rsyslog -y

After the installation, verify the Rsyslog status using the following command:

systemctl status rsyslog

You should see the following output:

? rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-10-03 13:35:32 UTC; 1h 44min ago
TriggeredBy: ? syslog.socket
       Docs: man:rsyslogd(8)
             man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 283 (rsyslogd)
      Tasks: 4 (limit: 2341)
     Memory: 5.0M
        CPU: 90ms
     CGroup: /system.slice/rsyslog.service
             ??283 /usr/sbin/rsyslogd -n -iNONE

Oct 03 13:35:32 debian11 systemd[1]: Starting System Logging Service...
Oct 03 13:35:32 debian11 rsyslogd[283]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2102.0]
Oct 03 13:35:32 debian11 rsyslogd[283]: [origin software="rsyslogd" swVersion="8.2102.0" x-pid="283" x-info="https://www.rsyslog.com"] start
Oct 03 13:35:32 debian11 systemd[1]: Started System Logging Service.
Oct 03 13:35:34 debian11 systemd[1]: rsyslog.service: Sent signal SIGHUP to main process 283 (rsyslogd) on client request.
Oct 03 13:45:33 debian11 rsyslogd[283]: [origin software="rsyslogd" swVersion="8.2102.0" x-pid="283" x-info="https://www.rsyslog.com"] rsyslog>

Configure Rsyslog

Next, you will need to configure Rsyslog to run in server mode. You can do it by editing the Rsyslog main configuration file:

nano /etc/rsyslog.conf

Uncomment the following lines:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

Next, add the following lines to define the template to store incoming log from client systems:

$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs

Save and close the file then restart the Rsyslog service to apply the changes:

systemctl restart rsyslog

At this point, Rsyslog is started and listens on port 514. You can check it using the following command:

ss -tunlp | grep 514

You should see the following output:

udp   UNCONN 0      0                              0.0.0.0:514       0.0.0.0:*    users:(("rsyslogd",pid=26276,fd=6))                                                                                                                                                                                                                                                                             
udp   UNCONN 0      0                                 [::]:514          [::]:*    users:(("rsyslogd",pid=26276,fd=7))                                                                                                                                                                                                                                                                             
tcp   LISTEN 0      25                             0.0.0.0:514       0.0.0.0:*    users:(("rsyslogd",pid=26276,fd=8))                                                                                                                                                                                                                                                                             
tcp   LISTEN 0      25                                [::]:514          [::]:*    users:(("rsyslogd",pid=26276,fd=9))                                                                                                                                                                                                                                                                             

Configure Firewall for Rsyslog

Next, you will need to allow port 514 through the UFW firewall. You can allow it with the following command:

ufw allow 514/tcp
ufw allow 514/udp

Next, reload the firewall to apply the changes:

ufw reload

Configure Rsyslog Client

Next, you will need to configure the Rsyslog client to send the log files to the Rsyslog server. You can do it by editing the Rsyslog main configuration file.

nano /etc/rsyslog.conf

Add the following lines at the end of the file:

#Enable sending system logs over UDP to rsyslog server
*.* @rsyslog-server-ip:514

#Enable sending system logs over TCP to rsyslog server
*.* @@rsyslog-server-ip:514

Also, add the following lines to set disk queue when rsyslog server will be down:

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

Save and close the file then restart the Rsyslog service to apply the changes:

systemctl restart rsyslog

Verify Client's Log File

All client's log files are stored in the /var/log directory on the server machine.

You can check it with the following command:

ls -l /var/log/

You should see the client's log file that corresponds to the hostname of the client system:

alternatives.log    auth.log.2.gz  daemon.log	    debian11	dpkg.log    kern.log.1	   messages.1	  private      syslog.3.gz
clientpc            auth.log.3.gz  daemon.log.1     debug	dpkg.log.1  kern.log.2.gz  messages.2.gz  runit        syslog.4.gz
apt		    btmp	   daemon.log.3.gz  debug.2.gz	icinga2     kern.log.4.gz  messages.4.gz  syslog
auth.log.1	    csm.log	   dbconfig-common  debug.4.gz	kern.log    messages	   ntpstats	  syslog.2.gz

As you can see, clientpc is the log directory of the client's system.

Conclusion

In the above guide, we explained how to set up the Rsyslog server and client on Debian 11. You can now monitor your clients from the central location. Feel free to ask me if you have any questions.

Share this page:

Suggested articles

0 Comment(s)

Add comment