How to Setup Rsyslog Server on Ubuntu 18.04 LTS

Logs are very useful for analyzing and troubleshooting any issues related to system and applications in Linux. By default, all log files are located inside /var/log directory in Linux-based operating systems. There are several types of log files including, cron, kernel, users, security and most of these files are controlled by Rsyslog service.

Rsyslog is a powerful and secure system for log processing. Rsyslog server receives logs over the network from several physical or virtualized servers and monitors the health of different services. With Rsyslog server, you can monitor logs for other servers, network devices, and remote applications from the centralized location.

In this tutorial, we will explain how to configure Rsyslog server on Ubuntu 18.04 server.

Prerequisites

  • Two server running Ubuntu 18.04.
  • A static IP address 192.168.0.101 is configured on Rsyslog server machine and 192.168.0.102 is configured on Rsyslog client machine.
  • A root password is configured on both server.

Install Rsyslog

By default, Rsyslog is installed in Ubuntu 18.04 server. If not installed, you can install it by running the following command:

apt-get install rsyslog -y

After installing Rsyslog, you can check the version of Rsyslog with the following command:

rsyslogd -v

You should get the following output:

rsyslogd 8.32.0, compiled with:
	PLATFORM:				x86_64-pc-linux-gnu
	PLATFORM (lsb_release -d):		
	FEATURE_REGEXP:				Yes
	GSSAPI Kerberos 5 support:		Yes
	FEATURE_DEBUG (debug build, slow code):	No
	32bit Atomic operations supported:	Yes
	64bit Atomic operations supported:	Yes
	memory allocator:			system default
	Runtime Instrumentation (slow code):	No
	uuid support:				Yes
	systemd support:			Yes
	Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

You can also check the status of Rsyslog with the following command:

systemctl status rsyslog

You should see the following output:

? rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-10-22 04:28:55 UTC; 1min 31s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 724 (rsyslogd)
    Tasks: 4 (limit: 1114)
   CGroup: /system.slice/rsyslog.service
           ??724 /usr/sbin/rsyslogd -n

Oct 22 04:28:53 ubuntu1804 systemd[1]: Starting System Logging Service...
Oct 22 04:28:54 ubuntu1804 rsyslogd[724]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.32.0]
Oct 22 04:28:54 ubuntu1804 rsyslogd[724]: rsyslogd's groupid changed to 106
Oct 22 04:28:54 ubuntu1804 rsyslogd[724]: rsyslogd's userid changed to 102
Oct 22 04:28:54 ubuntu1804 rsyslogd[724]:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="724" x-info="http://www.rsyslog.com"] start
Oct 22 04:28:55 ubuntu1804 systemd[1]: Started System Logging Service.

Configure Rsyslog Server

Rsyslog is now installed and running. Next, you will need to configure it to run in a server mode. You can do it by editing the file /etc/rsyslog.conf.

nano /etc/rsyslog.conf

First, you will need to define the protocol either UDP or TCP or both.

To use both UDP and TCP connections at the same time search and uncomment the lines below:

$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514

Next, define the specific subnet, IP or domain to limit the access as shown below:

$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, *.example.com
$AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, *.example.com

Next, you will need to create a template to tell Rsyslog server how to store incoming syslog messages. Add the following lines just before GLOBAL DIRECTIVES section:

$template remote-incoming-logs, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 
*.* ?remote-incoming-logs

Save and close the file when you are finished. Then, check the Rsyslog configuration for any syntax error with the following command:

rsyslogd -f /etc/rsyslog.conf -N1

You should see the following output:

rsyslogd: version 8.32.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

Finally, restart Rsyslog service with the following command:

systemctl restart rsyslog

Now, verify that Rsyslog is listening on TCP/UDP with the following command:

netstat -4altunp | grep 514

You should get the following output:

tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      1332/rsyslogd       
udp        0      0 0.0.0.0:514             0.0.0.0:*                           1332/rsyslogd       

Configure Rsyslog Client

Rsyslog server is installed and configured to receive logs from remote hosts.

Now, you will need to configure Rsyslog client to send syslog messages to the remote Rsyslog server.

Log in to the Client machine and open the Rsyslog configuration file as shown below:

nano /etc/rsyslog.conf

Add the following lines at the end of the file:

##Enable sending of logs over UDP add the following line:

*.* @192.168.0.101:514


##Enable sending of logs over TCP add the following line:

*.* @@192.168.0.101:514

##Set disk queue when rsyslog server will be down:

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

Save and close the file. Then, restart Rsyslog server to apply the configuration changes:

systemtcl restart rsyslog

View Client Log

At this point, Rsyslog client is configured to send their log to the Rsyslog server.

Now, log in to the Rsyslog server and check the /var/log directory. You should see the entry with the hostname of your client machines including several log files:

ls /var/log/rsyslog-client/

Output:

CRON.log  kernel.log  rsyslogd-2039.log  rsyslogd.log  sudo.log  wpa_supplicant.log

Conclusion

In the above article, we learned how to install and configure the Rsyslog server on Ubuntu 18.04 server. We also learned how to configure Rsyslog client to send logs to the Rsyslog server. Feel free to ask me if you have any questions.

Share this page:

Suggested articles

8 Comment(s)

Add comment

Comments

By: Tomas at: 2019-12-31 19:41:16

Do you have to do anything with firewall ? To open ports ? I've seen in other related articles it is recommended to run these commands: ufw allow 514/tcp

ufw allow 514/udp

By: Ian at: 2020-01-28 13:39:04

I am on Ubuntu 18.04.3 LTS and my /etc/rsyslog.conf looks different. 

My "rsyslogd -v" looks the same as above (IE "rsyslogd 8.32.0", etc)

 

EG for loading the modules and port#s =

 

# provides UDP syslog reception

module(load="imudp")

input(type="imudp" port="514")

# provides TCP syslog reception

module(load="imtcp")

input(type="imtcp" port="514")

 

This site answers all that -

https://www.rsyslog.com/doc/v8-stable/configuration/index.html - for rsyslog docs

https://www.rsyslog.com/doc/v8-stable/configuration/input_directives/rsconf1_allowedsender.html?highlight=allowed

- the SenderAllowed is legacy and a firewall is the recommended option.

By: Dirk at: 2020-03-02 13:11:46

Ian is right, one has to uncomment the "new" lines: module(... and input(...

Furthermore the upper template example didn't work as long as U ised the line "& ~". Then the config check said something with "STOP"...

By: John at: 2020-03-04 15:07:28

Same here:

Mar 04 14:42:00 ubuntu_server rsyslogd[2496]: error during config processing: STOP is followed by unreachable statements!  [v8.32.0 try http://www.rsyslog.com/e/2207 ]

The problem must be the "& ~" line.

Does anyone have some clue?

By: Ray at: 2020-04-18 03:27:27

Thanks for the tutorial, it was very helpful. There is one typo on "systemtcl restart rsyslog" should be "systemctl restart rsyslog"

By: Ray at: 2020-04-18 03:34:47

Quick questions is the communication between server-client encrypted? 

By: Torkis Halomoan Daulay at: 2020-08-14 07:28:29

Sir, How I can reset file log in my device (Router and switch cisco) ?because it's been a year running, so I want to reset it to fetch new logsThanks....

By: Mandy Baxter at: 2020-08-21 11:56:42

You've got a minor Type-Oh! in

systemtcl restart rsyslog