Log files are the files that keep information about the system activities such as authorization and access attempts, startup and shutdown attempts, startup and shutdown of service, etc. There are different log files for different type of activities. Log files facilitate in troubleshooting and monitoring of system activities. Rsyslog is an open-source program for Linux OS that can be configured both as the logging server and the client.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our customers to perform related Rsyslog queries.
In this context, we shall look into setup the Rsyslog server on Ubuntu OS 20.04 using two Ubuntu machines. On one Ubuntu machine, we will configure Rsyslog as a logging server, and on the other machine; we will configure Rsyslog as a client which will send logs to the Rsyslog server.
1. Perform System Update
To begin, ensure that all your system packages are up-to-date by running the following apt commands in the terminal:
$ sudo apt update
$ sudo apt upgrade
2. Install Rsyslog on the system
By default, Rsyslog is now available on the Ubuntu base repository. Now we run the following command below to install the Rsyslog server package on your system:
$ sudo apt install rsyslog
Once the installation is done, start and enable the Rsyslog service:
$ sudo systemctl start rsyslog
$ sudo systemctl enable rsyslog
$ sudo systemctl status rsyslog
To verify the installation of Rsyslog and to view the status of its service, run the command below:
$ sudo systemctl status rsyslog
1. Configure Rsyslog
Now that Rsyslog is installed and running, we will now configure it as the logging server.
Edit the Rsyslog configuration file etc/rsyslog.conf:
$ sudo nano /etc/rsyslog.conf
Add the below lines in the Rsyslog configuration file:
# Receive syslog over UDP
module(load="imudp")
input(type="imudp" port="514")
# Receive syslog over TCP
module(load="imtcp")
input(type="imtcp" port="514")
Then we will create a template that will be used by Rsyslog for storing incoming syslog messages. To do so, add the below lines in the Rsyslog configuration file before the GLOBAL DIRECTIVES section:
$template remote-incoming-logs, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
Then save and close the configuration file.
Now run the command below to restart the service of Rsyslog:
$ sudo systemctl restart rsyslog
You can also verify if Rsyslog is listening to TCP/UDP port 514 using the command below:
$ sudo ss -tunlp | grep 514
2. Configure Firewall
If your system has the firewall enabled on it, you will need to open TCP/UDP port 514. This port is used by Rsyslog server for receiving the logs from the remote client. Run these commands to open TCP/UDP port 514 in Ubuntu firewall:
$ sudo ufw allow 514/tcp
$ sudo ufw allow 514/udp
Then reload the firewall:
$ sudo ufw reload
Now on the other Ubuntu system, we will perform the configuration for Rsyslog client. This client will then send its logs to the Rsyslog logging server.
On the ubuntu machine that you want to configure as the Rsyslog client, first install Rsyslog (if not already installed):
$ sudo apt install rsyslog
Then edit the Rsyslog configuration file using this command:
$ sudo nano /etc/rsyslog.conf
Add the below lines in the end of the Rsyslog configuration file. Make sure to replace 192.168.72.201 with the IP address of your Rsyslog logging server:
#Send system logs to rsyslog server over RDP
*.* @192.168.72.201:514
#Send system logs to rsyslog server over TCP
*.* @@192.168.72.201:514
##Set disk queue to preserve your logs in case rsyslog server is experiencing any downtime
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
Save and close the Rsyslog configuration file.
Now run the command below to restart the service of Rsyslog:
$ sudo systemctl restart rsyslog
Once you are done with all the configurations described above, you can view the log files sent by the clients to the Rsyslog server. On your Rsyslog server machine, run the command below in the Terminal:
$ ls /var/log/
In the output of the above command, you will see a directory named the same as your client system hostname.
To view the log files of the client machine, list the contents of this directory:
$ sudo ls /var/log/directory
This article covers how to install and configure Rsyslog Server and Client on Ubuntu 20.04 LTS Focal Fossa system. In fact, Checking logs is an important activity to see what's happening on your Linux servers, especially when you are trying to locate an issue. In Rsyslog, the config files remain the same as Syslog. That simply means you can copy a syslog.conf file directly into rsyslog.conf and it will work.
The syslog-ng, FluentD, Logstash, GreyLog2, and Logagent, Filebeat are the other alternatives for Rsyslog.
Directory where different sorts of logs stored in a Linux system: