Rsyslog
Syslog Server
Rsyslog will be installed by default in Latest Ubuntu server. Install it if it is not already installed:
sudo apt-get install rsyslog
Edit the Rsyslog config file
sudo nano /etc/rsyslog.conf
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
# provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Restart rsyslog service
sudo service rsyslog restart
Verify if the Server listens to this port
netstat -an | grep 514
Validate your rsyslog configuration file:
sudo rsyslogd -N1
Syslog Client
- On the Client Machine:
sudo nano /etc/rsyslog.d/50-default.conf
- Add the following line at the top of the file before the log by facility section, :
/etc/rsyslog.d/50-default.conf
*.* @10.107.88.93:514
- In case you want only certain syslog alerts to be logged to remote server:
auth,authpriv.* @10.107.88.93:514
- Settings for when Rsyslog Server would be down:
$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
- Restart rsyslog service
sudo service rsyslog restart
For verification, below command will generate a new Syslog file:
logger “Hello World” logger –t ScriptName “Hello World” logger -p local4.info "This is a info message from local 4"
Generate Syslog messages
- Test UDP syslog messages on port 514 with the following command:
echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514
- Test TCP syslog messages on port 514 with the following command:
echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514
- References
{{#widget:DISQUS
|id=networkm
|uniqid=Rsyslog
|url=https://aman.awiki.org/wiki/Rsyslog
}}