Remote Syslog Server

Sources:

• RSyslog Documentation
• How to Configure Remote Logging with Rsyslog on Ubuntu 18.04

This notes are intended for Ubuntu 18.04!

Install and Configure Rsyslog Server

dpkg -l | grep rsyslogd
apt-get update && apt-get install rsyslog

systemctl start rsyslog
systemctl enable rsyslog
systemctl status rsyslog

Check rsyslog version (v7 vs. v8!):

rsyslogd -v

General configuration

#
# /etc/rsyslog.conf
#

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

and/or

# provides TCP syslog reception
module(load="imtcp")
# RPC service is using this port as well.
input(type="imtcp" port="50514")

Restrictions:

# GLOBAL DIRECTIVES

$AllowedSender UDP, 192.168.1.0/24, [::1]/128, *.fromdual.com
$AllowedSender UDP, 192.168.56.0/24, [::1]/128, *.fromdual.com

$AllowedSender TCP, 192.168.1.0/24, [::1]/128, *.fromdual.com
$AllowedSender TCP, 192.168.56.0/24, [::1]/128, *.fromdual.com

Specific configuration:

#
# /etc/rsyslog.d/remote_syslog.conf
#

$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log"
*.* ?RemInputLogs

Check syntax:

rsyslogd -N 1

systemctl restart rsyslog
systemctl status rsyslog

Check /var/log/syslog for errors!

Verify it works:

ss -tulnp | grep -e rsyslog -e State
Netid  State    Recv-Q   Send-Q      Local Address:Port      Peer Address:Port
udp    UNCONN   0        0                 0.0.0.0:514            0.0.0.0:*      users:(("rsyslogd",pid=11743,fd=6))
udp    UNCONN   0        0                    [::]:514               [::]:*      users:(("rsyslogd",pid=11743,fd=7))
tcp    LISTEN   0        25                0.0.0.0:50514          0.0.0.0:*      users:(("rsyslogd",pid=11743,fd=8))
tcp    LISTEN   0        25                   [::]:50514             [::]:*      users:(("rsyslogd",pid=11743,fd=9))

Configure Rsyslog Client to send Logs to Rsyslog Server

dpkg -l | grep rsyslog
apt-get update && apt-get install rsyslog

systemctl start rsyslog
systemctl enable rsyslog
systemctl status rsyslog

Configuration:

#
# /etc/rsyslog.d/remote_logging.conf
#

# 192.168.1.142 is the IP of the Rsyslog Server!

*.*  @192.168.1.142:514   # UDP
auth,authpriv.*  @@192.168.1.142:50514  # TCP

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

Check configuration:

rsyslogd -N 1

systemctl restart rsyslog

Check /var/log/syslog log for errors.

Send messages to remote syslog server from client

# IP of rsyslog server

telnet 192.168.1.142 50514
Trying 192.168.1.142...
Connected to 192.168.1.142.
Escape character is '^]'.
Connection closed by foreign host.

nc -u 192.168.1.142 514
Hello
Server
^C

logger "Test message from client"

logger -n 192.168.1.142 --udp --port=514 "Test message from client over UDP"
logger -n 192.168.1.142 --tcp --port=50514 "Test message from client over TCP"

Monitor Remote Logging on the Rsyslog Server

# IP of client
ls -l /var/log/remotelogs/192.168.1.102/
tail -f /var/log/remotelogs/192.168.1.102/oli.log