This content originally appeared on DEV Community and was authored by Igor Lerinc

Centralized logging with rsyslog

Configuring the server to receive logs

Edit server config file:

sudo nano /etc/rsyslog.conf

Find the following lines:

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

Uncomment second, to use TCP connection.

Don't forget to enable port on firewall.

Check if port is open:

sudo ss -tulnp | grep "rsyslog"

To change default log storage location

In order not to store (and mix) all logs in /var/log , use this, defined in main conf file ( /etc/rsyslog.conf ):

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~

The $template RemoteLogs directive instructs Rsyslog to store all incoming log entries in the location that is defined by the third parameter.

In our case, the remote logs will continue to be stored in /var/log directory, but each client will have its own subdirectory with a name equivalent to client hostname.

This subdirectory will store each log entry in a file that matches the client program that generated it.

On the following line, the . ?RemoteLogs directive applies the RemoteLogs configuration rule at all facilities with all priority levels (in other words, to all logs).

Finally, the & ~ directive defines that Rsyslog stops processing log input after it is stored to a file defined in previous lines.

The default configuration will overwrite the previous rule without this line.

•

Forwarding logs from an Rsyslog client

edit /etc/rsyslog.d/50-default.conf

Add:

*.* @@<your_rsyslog_server_ip_address>:514

If you use @ it will use UDP port, @@ will use TCP port

 such as cron. @@0.0.0.0:514 or apache2.* @@0.0.0.0:514.

You can also forward logs to more than one server

*.* @@0.0.0.0:514

*.* @@192.168.122.235

cron.* @@192.168.122.237:514

This content originally appeared on DEV Community and was authored by Igor Lerinc

Print Share Comment Cite Upload Translate Updates

APA

Igor Lerinc | Sciencx (2023-05-02T12:45:34+00:00) Centralized logging with rsyslog. Retrieved from https://www.scien.cx/2023/05/02/centralized-logging-with-rsyslog/

MLA

" » Centralized logging with rsyslog." Igor Lerinc | Sciencx - Tuesday May 2, 2023, https://www.scien.cx/2023/05/02/centralized-logging-with-rsyslog/

HARVARD

Igor Lerinc | Sciencx Tuesday May 2, 2023 » Centralized logging with rsyslog., viewed ,<https://www.scien.cx/2023/05/02/centralized-logging-with-rsyslog/>

VANCOUVER

Igor Lerinc | Sciencx - » Centralized logging with rsyslog. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2023/05/02/centralized-logging-with-rsyslog/

CHICAGO

" » Centralized logging with rsyslog." Igor Lerinc | Sciencx - Accessed . https://www.scien.cx/2023/05/02/centralized-logging-with-rsyslog/

IEEE

" » Centralized logging with rsyslog." Igor Lerinc | Sciencx [Online]. Available: https://www.scien.cx/2023/05/02/centralized-logging-with-rsyslog/. [Accessed: ]

rf:citation

» Centralized logging with rsyslog | Igor Lerinc | Sciencx | https://www.scien.cx/2023/05/02/centralized-logging-with-rsyslog/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.