Rsyslog: Difference between revisions
Content added Content deleted
| (8 intermediate revisions by the same user not shown) | |||
| Line 32: | Line 32: | ||
= Syslog Client = |
= Syslog Client = |
||
On the Client Machine: |
*On the Client Machine: |
||
sudo nano /etc/rsyslog.d/50-default.conf |
sudo nano /etc/rsyslog.d/50-default.conf |
||
Add the following line at the top of the file before the '''log by facility''' section, : |
*Add the following line at the top of the file before the '''log by facility''' section, : |
||
/etc/rsyslog.d/50-default.conf |
/etc/rsyslog.d/50-default.conf |
||
*.* @10.107.88.93:514 |
*.* @10.107.88.93:514 |
||
| ⚫ | |||
*In case you want only certain syslog alerts to be logged to remote server: |
|||
auth,authpriv.* @10.107.88.93:514 |
|||
*Settings for when Rsyslog Server would be down: |
|||
$ActionQueueFileName queue |
|||
$ActionQueueMaxDiskSpace 1g |
|||
$ActionQueueSaveOnShutdown on |
|||
$ActionQueueType LinkedList |
|||
$ActionResumeRetryCount -1 |
|||
| ⚫ | |||
sudo service rsyslog restart |
sudo service rsyslog restart |
||
For verification, below command will generate a new Syslog file: |
|||
Verification: |
|||
logger “Hello World” |
|||
logger –t ScriptName “Hello World” |
|||
logger -p local4.info "This is a info message from local 4" |
logger -p local4.info "This is a info message from local 4" |
||
= Generate Syslog messages = |
|||
*Test UDP syslog messages on port 514 with the following command: |
|||
echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514 |
|||
*Test TCP syslog messages on port 514 with the following command: |
|||
echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514 |
|||
<br /> |
<br /> |
||
Latest revision as of 22:57, 3 February 2023
Syslog Server
Rsyslog will be installed by default in Latest Ubuntu server. Install it if it is not already installed:
sudo apt-get install rsyslog
Edit the Rsyslog config file
sudo nano /etc/rsyslog.conf
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
# provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Restart rsyslog service
sudo service rsyslog restart
Verify if the Server listens to this port
netstat -an | grep 514
Validate your rsyslog configuration file:
sudo rsyslogd -N1
Syslog Client
- On the Client Machine:
sudo nano /etc/rsyslog.d/50-default.conf
- Add the following line at the top of the file before the log by facility section, :
/etc/rsyslog.d/50-default.conf
*.* @10.107.88.93:514
- In case you want only certain syslog alerts to be logged to remote server:
auth,authpriv.* @10.107.88.93:514
- Settings for when Rsyslog Server would be down:
$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
- Restart rsyslog service
sudo service rsyslog restart
For verification, below command will generate a new Syslog file:
logger “Hello World” logger –t ScriptName “Hello World” logger -p local4.info "This is a info message from local 4"
Generate Syslog messages
- Test UDP syslog messages on port 514 with the following command:
echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514
- Test TCP syslog messages on port 514 with the following command:
echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514
- References
{{#widget:DISQUS
|id=networkm
|uniqid=Rsyslog
|url=https://aman.awiki.org/wiki/Rsyslog
}}