If you are a system administrator and responsible for managing hundreds or thousands of servers then it is very difficult to check the logs of each server. This is the place where Rsyslog comes into the picture.
Rsyslog is an open-source software tool for Unix based operating systems used for collecting log messages from multiple network devices. It helps you to analyze the logs and troubleshooting a Linux server. It collects the data from different types of source and displays it into multiple formats. It is based on the client-server architecture. So you will need to configure Rsyslog as a server or a client for other servers.
In this tutorial, you'll learn how to install and set up Rsyslog as a centralized monitoring server on Ubuntu 20.04.
Requirements
- Two servers running on Ubuntu 20.04.
- A root password is setup on both servers.
Install Rsyslog
By default, the Rsyslog package is included in the Ubuntu standard repository. You can install it by just running the following command:
# apt-get install rsyslog -y
Once the installation is completed, start the Rsyslog service and enable it to start at system reboot:
# systemctl start rsyslog
# systemctl enable rsyslog
Set Up Rsyslog Server
Next, you will need to set up the Rsyslog server to run in server mode. You can configure it by editing the file /etc/rsyslog.conf:
# nano /etc/rsyslog.conf
Find and uncomment the following lines to make your server listens to the udp and tcp ports.
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
Save and close the file when you are finished.
Next, you will need to add the following line to receive and store incoming syslog messages:
$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log"
*.* ?RemInputLogs
Save and close the file then restart Rsyslog to apply the changes:
# systemctl restart rsyslog
You can also verify the Rsyslog status with the following command:
# systemctl status rsyslog
You should get the following output:
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-01-27 07:21:20 UTC; 2s ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 1617 (rsyslogd)
Tasks: 10 (limit: 2353)
Memory: 1.5M
CGroup: /system.slice/rsyslog.service
└─1617 /usr/sbin/rsyslogd -n -iNONE
Jan 27 07:21:20 ubuntu2004 systemd[1]: Starting System Logging Service...
Jan 27 07:21:20 ubuntu2004 rsyslogd[1617]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2001.0]
Jan 27 07:21:20 ubuntu2004 rsyslogd[1617]: rsyslogd's groupid changed to 110
Jan 27 07:21:20 ubuntu2004 rsyslogd[1617]: rsyslogd's userid changed to 104
Jan 27 07:21:20 ubuntu2004 rsyslogd[1617]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="1617" x-info="https://www.rsyslog.com"] sta>
Jan 27 07:21:20 ubuntu2004 systemd[1]: Started System Logging Service.
At this point, Rsyslog is started and listening on port 514. You can check it with the following command:
# ss -antpl | grep 514
You should get the following output:
LISTEN 0 25 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=1617,fd=7))
LISTEN 0 25 [::]:514 [::]:* users:(("rsyslogd",pid=1617,fd=8))
Install and Set Up Rsyslog Client
Next, you will need to install the Rsyslog package on the client machine and configure it to send logs to the Rsyslog server.
First, install the Rsyslog package with the following command:
# apt-get install rsyslog -y
Once installed, edit the Rsyslog main configuration file:
# nano /etc/rsyslog.conf
Allow preservation of FQDN and add your Rsyslog server IP as shown below:
$PreserveFQDN on
*.* @@rsyslog-server-ip:514
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
Save and close the file then restart the Rsyslog service to apply the changes:
# systemtcl restart rsyslog
Verify Logs
Now go to the Rsyslog server and verify logs received from the client machine with the following command:
# ls /var/log/remotelogs/127.0.0.1/
You should see all log files generated by Rsyslog in the following output:
ntpd.log rsyslogd.log sshd.log systemd.log systemd-logind.log
You can check the SSH log with the following command:
# tail -f /var/log/remotelogs/127.0.0.1/sshd.log
You should get the following output:
2021-01-27T07:44:20.146556+00:00 ubuntu2004 sshd[1677]: Connection closed by 192.241.218.42 port 57184 [preauth]
2021-01-27T07:55:13.224006+00:00 ubuntu2004 sshd[1682]: Accepted password for root from 27.61.202.214 port 60658 ssh2
2021-01-27T07:55:13.229836+00:00 ubuntu2004 sshd[1682]: pam_unix(sshd:session): session opened for user root by (uid=0)
Conclusion
Congratulations! You have successfully installed and set up the Rsyslog server on Ubuntu 20.04.
You can now install and configure more Rsyslog clients and send all logs to the Rsyslog server.
Any questions? Don't hesitate to contact us. We'll be glad to help you out :)