Rsyslog

= Syslog Server =

Rsyslog will be installed by default in Latest Ubuntu server. Install it if it is not already installed: sudo apt-get install rsyslog

Edit the Rsyslog config file sudo nano /etc/rsyslog.conf

$ModLoad imudp $UDPServerRun 514
 * 1) provides UDP syslog reception

$ModLoad imtcp $InputTCPServerRun 514
 * 1) provides TCP syslog reception

Restart rsyslog service sudo service rsyslog restart

Verify if the Server listens to this port netstat -an | grep 514

Validate your rsyslog configuration file: sudo rsyslogd -N1

= Syslog Client =

sudo nano /etc/rsyslog.d/50-default.conf
 * On the Client Machine:

/etc/rsyslog.d/50-default.conf
 * Add the following line at the top of the file before the log by facility section, :

*.*                        @10.107.88.93:514

auth,authpriv.*             @10.107.88.93:514
 * In case you want only certain syslog alerts to be logged to remote server:


 * Settings for when Rsyslog Server would be down:

$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1

sudo service rsyslog restart
 * Restart rsyslog service

For verification, below command will generate a new Syslog file: logger “Hello World” logger –t ScriptName “Hello World” logger -p local4.info "This is a info message from local 4"

= Generate Syslog messages =

echo "<14>Test UDP syslog message" >> /dev/udp//514
 * Test UDP syslog messages on port 514 with the following command:

echo "<14>Test TCP syslog message" >> /dev/tcp//514
 * Test TCP syslog messages on port 514 with the following command:


 * References