Setting up Syslog for centralized logging allows you to collect and analyze logs from multiple servers in a single location, improving visibility and management of system events. Here’s a guide on configuring a centralized Syslog server and client.
What is Syslog? #
Syslog (System Logging Protocol) is a standard protocol for message logging in Unix and Linux systems. It provides a mechanism for log data collection and storage, where multiple clients send logs to a centralized server for monitoring and analysis.
Prerequisites #
- Syslog Server (central server where logs will be stored)
- Syslog Clients (machines that will send their logs to the central server)
- Root or sudo access on both the server and clients
Step 1: Set Up the Centralized Syslog Server #
- Install rsyslog (if it’s not already installed):
On Debian/Ubuntu:
sudo apt update
sudo apt install -y rsyslogOn RHEL/CentOS:
sudo yum install -y rsyslog2. Configure rsyslog to receive logs over the network:
Open the rsyslog configuration file:
sudo vi /etc/rsyslog.confUncomment or add the following lines to enable TCP and UDP log reception:
# Provides TCP syslog reception
module(load="imtcp") # Load TCP input module
input(type="imtcp" port="514")
# Provides UDP syslog reception
module(load="imudp") # Load UDP input module
input(type="imudp" port="514")
3. Specify a Log Directory for Incoming Logs (optional but recommended):
By default, logs will be written to /var/log/syslog or /var/log/messages. You can create a custom directory for each client’s logs by editing rsyslog.conf:
# Custom rule for incoming logs
template(name="RemoteLogs" type="string" string="/var/log/%HOSTNAME%/%PROGRAMNAME%.log")
*.* ?RemoteLogs
4. Save and close the file, then restart rsyslog:
sudo systemctl restart rsyslog5. Allow Syslog Traffic through the Firewall:
- Open ports for UDP and TCP on port 514 (if using both):
For Ubuntu/Debian
sudo ufw allow 514/tcp
sudo ufw allow 514/udpFor firewalld (Almalinux/CentOS/RHEL):
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --reloadStep 2: Configure Syslog Clients to Send Logs to the Central Server #
- Install rsyslog on each client (if it’s not already installed):
sudo apt update && sudo apt install -y rsyslog # For Debian/Ubuntu
sudo yum install -y rsyslog # For RHEL/CentOS2. Configure the client to send logs to the central server:
- Open the
rsyslogconfiguration file:
sudo vi /etc/rsyslog.confAdd the following lines at the end of the file to forward logs to the central Syslog server (replace <server_ip> with your server’s IP address):
*.* @<server_ip>:514 # For UDP
*.* @@<server_ip>:514 # For TCPFor example:
*.* @192.168.1.10:5143. Save and close the file, then restart rsyslog on the client:
sudo systemctl restart rsyslogStep 3: Verify Centralized Logging #
- Generate a Test Log Entry on the client:Run the following command on the client to generate a sample log entry:
logger "Test log entry from client"2. Check Logs on the Server:
On the Syslog server, look in /var/log/ or in the directory you specified. For example:
sudo tail -f /var/log/syslogOr, if you configured a custom directory:
sudo ls /var/log/<client_hostname>/
sudo tail -f /var/log/<client_hostname>/test.log
You should see the test log entry from the client.
Step 4: Optional – Setting Up Log Rotation (Recommended) #
To prevent the central log server from filling up with logs, set up log rotation.
- Edit or create a log rotation file (for custom logs):
sudo nano /etc/logrotate.d/remote-logs2. Add the following configuration for log rotation:
/var/log/*/*.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 0640 syslog adm
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}This configuration will rotate logs daily, keep seven days’ worth of logs, and compress old logs to save space.
Author’s final word #
You have successfully set up a centralized Syslog server to collect logs from multiple Linux clients. This setup can help streamline log management, enhance monitoring, and enable centralized log analysis for better insights into your systems’ health and security.