How to Install and Configure Rsyslog Server and Client on Ubuntu 24.04
This tutorial exists for these OS versions
- Ubuntu 24.04 (Noble Numbat)
- Ubuntu 18.04 (Bionic Beaver)
On this page
Rsyslog on Ubuntu is a powerful and flexible system logging daemon used to collect, filter, store, and forward log messages generated by the operating system and applications. It is an enhanced version of the traditional syslog service, providing additional features such as high-performance logging, advanced filtering capabilities, and support for multiple logging protocols, including TCP, UDP, and RELP (Reliable Event Logging Protocol). Rsyslog can handle log messages from various sources and direct them to different destinations like files, databases, or remote servers. It is widely used in centralized logging systems for monitoring, troubleshooting, and auditing purposes. By allowing detailed configuration, Rsyslog enables Ubuntu administrators to efficiently manage system logs and ensure important information is captured and stored securely.
Logs are very useful for analyzing and troubleshooting issues related to the Linux system and applications. By default, all log files are located inside the/var/log directory in Linux-based operating systems. There are several types of log files, including cron, kernel, users, and security, and most of these files are controlled by the Rsyslog service.
In this tutorial, I will explain how to configure the Rsyslog server on the Ubuntu 24.04 server.
Prerequisites
- Two server running Ubuntu 24.04.
- A static IP address 192.168.0.101 is configured on Rsyslog server machine and 192.168.0.102 is configured on Rsyslog client machine.
- A root password is configured on both server.
Install Rsyslog
You can install Rsyslog by running the following command:
apt install rsyslog -y
After installing Rsyslog, you can check the version of Rsyslog with the following command:
rsyslogd -v
You can also check the status of Rsyslog with the following command:
systemctl status rsyslog
You should see the following output:
? rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-08-22 04:28:55 UTC; 1min 31s ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Main PID: 724 (rsyslogd) Tasks: 4 (limit: 1114) CGroup: /system.slice/rsyslog.service ??724 /usr/sbin/rsyslogd -n Aug 22 04:28:53 ubuntu2404 systemd[1]: Starting System Logging Service... Aug 22 04:28:54 ubuntu2404 rsyslogd[724]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0] Aug 22 04:28:54 ubuntu2404 rsyslogd[724]: rsyslogd's groupid changed to 106 Aug 22 04:28:54 ubuntu2404 rsyslogd[724]: rsyslogd's userid changed to 102 Aug 22 04:28:54 ubuntu2404 rsyslogd[724]: [origin software="rsyslogd" swVersion="8.32.0" x-pid="724" x-info="http://www.rsyslog.com"] start Aug 22 04:28:55 ubuntu2404 systemd[1]: Started System Logging Service.
Configure Rsyslog Server
Rsyslog is now installed and running. Next, you must configure it to run in server mode. You can edit the file /etc/rsyslog.conf.
nano /etc/rsyslog.conf
First, you will need to define the protocol either UDP or TCP or both.
To use both UDP and TCP connections at the same time search and uncomment the lines below:
$ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514
Next, define the specific subnet, IP or domain to limit the access as shown below:
$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, *.example.com $AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, *.example.com
Next, you must create a template to tell the Rsyslog server how to store incoming syslog messages. Add the following lines just before GLOBAL DIRECTIVES section:
$template remote-incoming-logs, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?remote-incoming-logs
Save and close the file when you are finished. Then, check the Rsyslog configuration for any syntax error with the following command:
rsyslogd -f /etc/rsyslog.conf -N1
You should see the following output:
rsyslogd: version 8.32.0, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye.
Finally, restart Rsyslog service with the following command:
systemctl restart rsyslog
Now, verify that Rsyslog is listening on TCP/UDP with the following command:
netstat -4altunp | grep 514
You should get the following output:
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1332/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 1332/rsyslogd
Configure Rsyslog Client
Rsyslog server is installed and configured to receive logs from remote hosts.
Now, you must configure the Rsyslog client to send syslog messages to the remote Rsyslog server.
Log in to the Client machine and open the Rsyslog configuration file as shown below:
nano /etc/rsyslog.conf
Add the following lines at the end of the file:
##Enable sending of logs over UDP add the following line: *.* @192.168.0.101:514 ##Enable sending of logs over TCP add the following line: *.* @@192.168.0.101:514 ##Set disk queue when rsyslog server will be down: $ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
Save and close the file. Then, restart Rsyslog server to apply the configuration changes:
systemtcl restart rsyslog
View Client Log
At this point, Rsyslog client is configured to send their log to the Rsyslog server.
Log in to the Rsyslog server and check the /var/log directory. You should see the entry with the hostname of your client machines, including several log files:
ls /var/log/rsyslog-client/
Output:
CRON.log kernel.log rsyslogd-2039.log rsyslogd.log sudo.log wpa_supplicant.log
Conclusion
In the above article, we learned how to install and configure the Rsyslog server on an Ubuntu 24.04 server and how to configure the Rsyslog client to send logs to the Rsyslog server. Feel free to ask me if you have any questions.