How to Install and Configure Rsyslog Server and Client on Ubuntu 24.04

This tutorial exists for these OS versions

On this page

  1. Prerequisites
  2. Install Rsyslog
  3. Configure Rsyslog Server
  4. Configure Rsyslog Client
  5. View Client Log
  6. Conclusion

Rsyslog on Ubuntu is a powerful and flexible system logging daemon used to collect, filter, store, and forward log messages generated by the operating system and applications. It is an enhanced version of the traditional syslog service, providing additional features such as high-performance logging, advanced filtering capabilities, and support for multiple logging protocols, including TCP, UDP, and RELP (Reliable Event Logging Protocol). Rsyslog can handle log messages from various sources and direct them to different destinations like files, databases, or remote servers. It is widely used in centralized logging systems for monitoring, troubleshooting, and auditing purposes. By allowing detailed configuration, Rsyslog enables Ubuntu administrators to efficiently manage system logs and ensure important information is captured and stored securely.

Logs are very useful for analyzing and troubleshooting issues related to the Linux system and applications. By default, all log files are located inside the/var/log directory in Linux-based operating systems. There are several types of log files, including cron, kernel, users, and security, and most of these files are controlled by the Rsyslog service.

In this tutorial, I will explain how to configure the Rsyslog server on the Ubuntu 24.04 server.

Prerequisites

  • Two server running Ubuntu 24.04.
  • A static IP address 192.168.0.101 is configured on Rsyslog server machine and 192.168.0.102 is configured on Rsyslog client machine.
  • A root password is configured on both server.

Install Rsyslog

You can install Rsyslog by running the following command:

apt install rsyslog -y

After installing Rsyslog, you can check the version of Rsyslog with the following command:

rsyslogd -v

You can also check the status of Rsyslog with the following command:

systemctl status rsyslog

You should see the following output:

? rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2024-08-22 04:28:55 UTC; 1min 31s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 724 (rsyslogd)
    Tasks: 4 (limit: 1114)
   CGroup: /system.slice/rsyslog.service
           ??724 /usr/sbin/rsyslogd -n

Aug 22 04:28:53 ubuntu2404 systemd[1]: Starting System Logging Service...
Aug 22 04:28:54 ubuntu2404 rsyslogd[724]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.32.0]
Aug 22 04:28:54 ubuntu2404 rsyslogd[724]: rsyslogd's groupid changed to 106
Aug 22 04:28:54 ubuntu2404 rsyslogd[724]: rsyslogd's userid changed to 102
Aug 22 04:28:54 ubuntu2404 rsyslogd[724]:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="724" x-info="http://www.rsyslog.com"] start
Aug 22 04:28:55 ubuntu2404 systemd[1]: Started System Logging Service.

Configure Rsyslog Server

Rsyslog is now installed and running. Next, you must configure it to run in server mode. You can edit the file /etc/rsyslog.conf.

nano /etc/rsyslog.conf

First, you will need to define the protocol either UDP or TCP or both.

To use both UDP and TCP connections at the same time search and uncomment the lines below:

$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514

Next, define the specific subnet, IP or domain to limit the access as shown below:

$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, *.example.com
$AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, *.example.com

Next, you must create a template to tell the Rsyslog server how to store incoming syslog messages. Add the following lines just before GLOBAL DIRECTIVES section:

$template remote-incoming-logs, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 
*.* ?remote-incoming-logs

Save and close the file when you are finished. Then, check the Rsyslog configuration for any syntax error with the following command:

rsyslogd -f /etc/rsyslog.conf -N1

You should see the following output:

rsyslogd: version 8.32.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

Finally, restart Rsyslog service with the following command:

systemctl restart rsyslog

Now, verify that Rsyslog is listening on TCP/UDP with the following command:

netstat -4altunp | grep 514

You should get the following output:

tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      1332/rsyslogd       
udp        0      0 0.0.0.0:514             0.0.0.0:*                           1332/rsyslogd       

Configure Rsyslog Client

Rsyslog server is installed and configured to receive logs from remote hosts.

Now, you must configure the Rsyslog client to send syslog messages to the remote Rsyslog server.

Log in to the Client machine and open the Rsyslog configuration file as shown below:

nano /etc/rsyslog.conf

Add the following lines at the end of the file:

##Enable sending of logs over UDP add the following line:

*.* @192.168.0.101:514


##Enable sending of logs over TCP add the following line:

*.* @@192.168.0.101:514

##Set disk queue when rsyslog server will be down:

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

Save and close the file. Then, restart Rsyslog server to apply the configuration changes:

systemtcl restart rsyslog

View Client Log

At this point, Rsyslog client is configured to send their log to the Rsyslog server.

Log in to the Rsyslog server and check the /var/log directory. You should see the entry with the hostname of your client machines, including several log files:

ls /var/log/rsyslog-client/

Output:

CRON.log  kernel.log  rsyslogd-2039.log  rsyslogd.log  sudo.log  wpa_supplicant.log

Conclusion

In the above article, we learned how to install and configure the Rsyslog server on an Ubuntu 24.04 server and how to configure the Rsyslog client to send logs to the Rsyslog server. Feel free to ask me if you have any questions.

Share this page:

0 Comment(s)