Rsyslog: Difference between revisions
Content added Content deleted
(Created page with "Setting up Syslog Server in Ubuntu: Rsyslog will be installed by default in Latest Ubuntu server: Edit the Rsyslog config file sudo nano /etc/rsyslog.conf # provides UDP...") |
|||
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Linux]] |
|||
| ⚫ | |||
__TOC__ |
|||
<br /> |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
Install it if it is not already installed: |
|||
sudo apt-get install rsyslog |
|||
Edit the Rsyslog config file |
Edit the Rsyslog config file |
||
| Line 14: | Line 21: | ||
$InputTCPServerRun 514 |
$InputTCPServerRun 514 |
||
Restart rsyslog service |
|||
sudo service rsyslog restart |
sudo service rsyslog restart |
||
Verify if the Server listens to this port |
|||
netstat -an | grep 514 |
netstat -an | grep 514 |
||
Validate your rsyslog configuration file: |
|||
sudo rsyslogd -N1 |
sudo rsyslogd -N1 |
||
= Syslog Client = |
|||
*On the Client Machine: |
|||
sudo nano /etc/rsyslog.d/50-default.conf |
sudo nano /etc/rsyslog.d/50-default.conf |
||
Add the following line at the top of the file before the log by facility section, |
*Add the following line at the top of the file before the '''log by facility''' section, : |
||
/etc/rsyslog.d/50-default.conf |
/etc/rsyslog.d/50-default.conf |
||
*.* @ |
*.* @10.107.88.93:514 |
||
*In case you want only certain syslog alerts to be logged to remote server: |
|||
auth,authpriv.* @10.107.88.93:514 |
|||
*Settings for when Rsyslog Server would be down: |
|||
$ActionQueueFileName queue |
|||
$ActionQueueMaxDiskSpace 1g |
|||
$ActionQueueSaveOnShutdown on |
|||
$ActionQueueType LinkedList |
|||
$ActionResumeRetryCount -1 |
|||
*Restart rsyslog service |
|||
| ⚫ | |||
For verification, below command will generate a new Syslog file: |
|||
logger “Hello World” |
|||
logger –t ScriptName “Hello World” |
|||
logger -p local4.info "This is a info message from local 4" |
|||
= Generate Syslog messages = |
|||
*Test UDP syslog messages on port 514 with the following command: |
|||
echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514 |
|||
*Test TCP syslog messages on port 514 with the following command: |
|||
echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514 |
|||
<br /> |
|||
;References |
|||
<references/> |
|||
<br /> |
|||
<br /> |
|||
<br /> |
|||
| ⚫ | |||
{{DISQUS}} |
|||
Logger |
|||
Latest revision as of 22:57, 3 February 2023
Syslog Server
Rsyslog will be installed by default in Latest Ubuntu server. Install it if it is not already installed:
sudo apt-get install rsyslog
Edit the Rsyslog config file
sudo nano /etc/rsyslog.conf
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
# provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Restart rsyslog service
sudo service rsyslog restart
Verify if the Server listens to this port
netstat -an | grep 514
Validate your rsyslog configuration file:
sudo rsyslogd -N1
Syslog Client
- On the Client Machine:
sudo nano /etc/rsyslog.d/50-default.conf
- Add the following line at the top of the file before the log by facility section, :
/etc/rsyslog.d/50-default.conf
*.* @10.107.88.93:514
- In case you want only certain syslog alerts to be logged to remote server:
auth,authpriv.* @10.107.88.93:514
- Settings for when Rsyslog Server would be down:
$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
- Restart rsyslog service
sudo service rsyslog restart
For verification, below command will generate a new Syslog file:
logger “Hello World” logger –t ScriptName “Hello World” logger -p local4.info "This is a info message from local 4"
Generate Syslog messages
- Test UDP syslog messages on port 514 with the following command:
echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514
- Test TCP syslog messages on port 514 with the following command:
echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514
- References
{{#widget:DISQUS
|id=networkm
|uniqid=Rsyslog
|url=https://aman.awiki.org/wiki/Rsyslog
}}