This article has not been completed yet. However, it may already contain helpful information and therefore it has been published at this stage.
Rsyslog is the default syslogd on Debian systems and is usually installed on Ubuntu 20.04 by default.
You can verify this by checking the version of installed rsyslog.
# Getting root - Access sudo su # Looking for an installed Application apt list -a rsyslog
If for any reasons it is not installed, run the command below to install it.
# repo update apt update # installing rsyslog apt install rsyslog -y # start and enable the rsyslog service systemctl enable --now rsyslog
Setup Rsyslog Server on Ubuntu 20.04
Now that rsyslog is installed and running, you need to configure it to run in server mode. As stated above, rsyslog can be configured as client to sent logs to a central logging server or a server to receive and store logs from other systems.
Open the ryslog configuration file for editing;
Define Rsyslog Server Protocol and Port
Note that TCP syslog reception is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered.
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514")
- CTRL + X
TCP syslog may need to use a different port because often the RPC service is using this port as well.
# Restarting rsyslog - service systemctl restart rsyslog
# Checking Listeners ss -4altunp | grep 514
# Checking firewall ufw status
# Open firewall ufw allow 514/udp ufw allow 514/tcp
NAT - Netzwerk
# Shutting down VMs shutdown -h now
# Showing IP configuration ip a # Testingt Internet ping -c 1 126.96.36.199 # Testing Connection between VMs ping -c 1 10.0.2.X
You may also want to explicitly set the remote clients that are allowed to to send syslog messages to rsyslogd.
# Defining Allowed Traffic $AllowedSender UDP, 127.0.0.1, 10.0.2.4, [::1]/128 $AllowedSender TCP, 127.0.0.1, 10.0.2.4, [::1]/128
- CTRL + X
# Open Firewall for a specific IP ufw allow from 10.0.2.4 to any port 514 proto udp ufw allow from 10.0.2.4 to any port 514 proto tcp
Configure Rsyslog Template
To create a template use the following syntax in /etc/rsyslog.conf:
# How to create a Template $template TEMPLATE_NAME,"text %PROPERTY% more text", [OPTION]
#Custom template to generate the log filename dynamically based on the client's IP address. $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" *.* ?RemInputLogs
- CTRL + X
# Config Check rsyslogd -f /etc/rsyslog.conf -N1
Restart rsyslog - Service (compare already described procedure)
systemctl restart rsyslog
@RSYSLOG Client - VM :
# Send a test message telnet 10.0.2.5 514
- CTRL + C
@RSYSLOG Server - VM (RSYSLOGSRV):
# Check for new messages cd /var/log/remotelogs/10.0.2.4 ls cat Test#015.log # Continious Inspection tail -f /var/log/remotelogs/10.0.2.4/Test#015.log
What else should be considered now? If you collect log files, you must also make sure that they are disposed of after some time, if they have lost their usability.
I have dealt with this topic in this further blog: