Syslog Server

Rsyslog will be installed by default in Latest Ubuntu server. Install it if it is not already installed:

sudo apt-get install rsyslog

Edit the Rsyslog config file

sudo nano /etc/rsyslog.conf

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Restart rsyslog service

sudo service rsyslog restart

Verify if the Server listens to this port

netstat -an | grep 514

Validate your rsyslog configuration file:

sudo rsyslogd -N1

Syslog Client

On the Client Machine:

sudo nano /etc/rsyslog.d/50-default.conf

Add the following line at the top of the file before the log by facility section, :

/etc/rsyslog.d/50-default.conf

*.*                         @10.107.88.93:514

# for exmaple, output logs for "auth,authpriv.*" to remote

In case you want only certain syslog alerts to be logged to remote server:

auth,authpriv.*              @10.107.88.93:514

Settings for when Rsyslog Server would be down:

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

Restart rsyslog service

sudo service rsyslog restart

For verification, below command will generate a new Syslog file:

logger “Hello World”
logger –t ScriptName “Hello World”
logger -p local4.info "This is a info message from local 4"

References

{{#widget:DISQUS |id=networkm |uniqid=Rsyslog |url=https://aman.awiki.org/wiki/Rsyslog }}