How to install and set up Rsyslog server - Linux Ubuntu 20.04.1
Step 1: Install Rsyslog
Rsyslog is the default syslogd on Debian systems and is usually installed on Ubuntu 20.04 by default. You can verify this by checking the version of installed rsyslog.
# apt list -a rsyslog If not installed, you can install it by just running the following command:
# sudo apt-get install rsyslog -y or sudo apt install rsyslog -y Step 2: Once the installation is completed, start the Rsyslog service and enable it to start at system reboot:
# sudo systemctl start rsyslog # sudo systemctl enable rsyslog Step 3: Set Up Rsyslog Server
Next, you will need to set up the Rsyslog server to run in server mode. You can configure it by editing the file /etc/rsyslog.conf:
# sudo vi /etc/rsyslog.conf Enter Insert mode: Press Key 'I' Find and uncomment the following lines to make your server listens to the udp and tcp ports in the MODULES section as shown below; ... ################# #### MODULES #### ################# ... # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") Step 4: Next, you will need to add the following line to receive and store incoming syslog messages just under the line input(type="imtcp" port="514"):
$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" *.* ?RemInputLogs Step 5: Save and close the file, key to be used: Press Esc and >type :wq!
Note: To set rsyslog to run on a different TCP port, say TCP port, 50514, uncomment the TCP reception lines and change the port as shown below:
# provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="50514") Step 6: Then restart Rsyslog to apply the changes:
# sudo systemctl restart rsyslog Step 7: Verify the Rsyslog status with the following command:
# sudo systemctl status rsyslog Step 8: At this point, Rsyslog gets started and is listening on port 514. Validate the same with the following command:
# ss -antpl | grep 514 or ss -4altunp | grep 514 Step 9: If firewall is running, open rsyslog through it:
# sudo ufw allow 514/tcp # sudo ufw allow 514/udp Step 10: Before you can restart rsyslogd, run a configuration check.
# rsyslogd -f /etc/rsyslog.conf -N1 rsyslogd: version 8.2001.0, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye. If all works fine, proceed to restart rsyslog.
# sudo systemctl restart rsyslog Step 11: Once the syslog is up and running, run the following command to view the pushed logs:
# tail -f /var/log/syslog Step 12: Now refer the article Configuring a Log Receiver to configure the LSS in the ZPA Admin Portal. NOTE: This will vary from case to case, as in my environment logs generator is LSS (Log streaming service) of the product ZPA(Zscaler Private Access)
Step 13: Once the log receiver's configuration is completed, you will see the logs as mentioned in Step 11.
Application Delivery Network Engineer, Data Center Network and Security Specialist
1ythank you man!
Ingeniero en telecomunicaciones - Ciberseguridad OT
2yGreat info. Thanks. I would like to know if there is a way to set quota for log folders in the rsyslog.conf or I need to use another package?
Engineer
2yI have a few questions: - Why step 11 reads logs from /var/log/syslog when in the config file, we're writing logs to /var/log/remotelogs/? - This config writes every log messages, both from local and remote, into the templated files? and also overrides configs in /etc/rsyslog.d/*.conf?
--
2yThanks , Akshay. Very useful.