Syslog Server

Rsyslog will be installed by default in Latest Ubuntu server. Install it if it is not already installed:

sudo apt-get install rsyslog

Edit the Rsyslog config file

sudo nano /etc/rsyslog.conf

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Restart rsyslog service

sudo service rsyslog restart

Verify if the Server listens to this port

netstat -an | grep 514

Validate your rsyslog configuration file:

sudo rsyslogd -N1

Syslog Client

• On the Client Machine:

sudo nano /etc/rsyslog.d/50-default.conf

• Add the following line at the top of the file before the log by facility section, :

/etc/rsyslog.d/50-default.conf

*.*                         @10.107.88.93:514

• In case you want only certain syslog alerts to be logged to remote server:

auth,authpriv.*              @10.107.88.93:514

• Settings for when Rsyslog Server would be down:

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

• Restart rsyslog service

sudo service rsyslog restart

For verification, below command will generate a new Syslog file:

logger “Hello World”
logger –t ScriptName “Hello World”
logger -p local4.info "This is a info message from local 4"

Generate Syslog messages

• Test UDP syslog messages on port 514 with the following command:

echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514

• Test TCP syslog messages on port 514 with the following command:

echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514

References

{{#widget:DISQUS |id=networkm |uniqid=Rsyslog |url=https://aman.awiki.org/wiki/Rsyslog }}