Skip to content

Log Server Setup Using rsyslog

The following is a basic setup for implementing rsyslog on your local network. Setting up logging is highly specific to a specific user/network needs so this is just to get started and consider some basic security best practices.

logserver-chacho

Server-side Configuration

Grab server IP address and add to client's /etc/hosts file

sudo echo "10.3.2.240 syslog-server" >> /etc/hosts

Install rsyslog

sudo apt install rsyslog

Get Info

rsyslog -v

systemctl status rsyslog

Edit Configuration

vi /etc/rsyslog.conf
Uncomment both UDP and TCP module and inputs so that clients can send data to the rsyslog server.

# Provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# Provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

Don't let just anyone send data to the log server. Specify who can send logs. And add a template for how/where the logs should be saved.
$template remote-incoming-logs, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 
*.* ?remote-incoming-logs

Create Log Directory and Set Permissions

Replace %HOSTNAME% with your server's hostname or a directory name if dynamically created: 

sudo mkdir -p /var/log/syslog-server
sudo chown syslog:adm /var/log/syslog-server
sudo chmod 750 /var/log/syslog-server

Restart services

systemctl restart rsyslog.service

Check status

systemctl status rsyslog.service

Validate that the configuration works as intended without syntax errors

rsyslogd -f /etc/rsyslog.conf -N1

Client-side rsyslogd Set Up

Each client from whom logs should be sent to the server will need rsyslogd set up to do so. This portion of the process would be done on each of the clients. 

sudo apt install rsyslog


sudo vi /etc/rsyslog.conf
Specify in the configuration file that you want all the logs to go to the server IP

Replace LOGSERVER_IP with the actual IP address of the log server: 

*.* @@10.3.2.240:514

Restart the service

systemctl restart rsyslog

Test Log Entry

logger "This log entry is a test for client IP: 10.3.2.45"

This will generate a log entry that can then be viewed on the log server at:

Replace mainuser with the actual username or directory name: 

tail /var/log/syslog-server/mainuser.log
Note: The directory (e.g., ubuntu) is specific to the client's hostname in this example. When the hostname is changed, a new directory for logging is created on the server.

Running 'tail -f' will allow you to follow the systemd.log file on the server. Starting this before restarting ssh services on the client would result in seeing the entries as they are logged.

On Server

tail -f /var/log/syslog-server/systemd.log

On Client

systemctl restart ssh

Add MySQL to rsyslog

On the Log Server

Install MySQL
sudo apt install mysql-server
Add the MySQL rsyslog plugin
sudo apt install rsyslog-mysql

If your database server and log server are one and the same, you can use the wizard to step through the configuration. This allows you to then query the logs using the MySQL database.

Final Check:

  1. Ensure all directories (/var/log/%HOSTNAME%) exist and have the correct permissions.
  2. Make sure the rsyslog configuration files are correctly pointing to the log directories.
  3. Validate that both server and client configurations are error-free and functioning as expected.

This should cover any permissions-related issues and enhance the clarity of your setup instructions.