Today, we are going to explain how to setup a Centralized Log Server using Rsyslog onUbuntu 16.04 LTS to manage the logs of your client systems from a common place. You don’t have to visit the client systems when you want to check the log files of your client systems. This can be useful if you have large number of systems on your network and want to do the log management from a centralized dedicated log server.
Environment:
For the purpose of this guide, we will use 2 Ubuntu 16.04 servers, one acts as rsyslog server, and other acts as client.
Rsyslog Server:
OS: Ubuntu 16.04 LTS
IP address: 192.168.1.200
Hostname: logserver.yallalabs.com
Client Server:
OS: Ubuntu 16.04 LTS
IP Address: 192.168.1.201
Hostname: server01.yallalabs.com
Server configuration
– Backup the rsyslog file configuration
lotfi@logserver:~$ cp /etc/rsyslog.conf /etc/rsyslog.conf.orig
– Open the rsyslog file configuration
lotfi@logserver:~$ vi /etc/rsyslog.conf
– Find and uncomment the following lines to make your server to listen on the udp and tcp ports.
[...] # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") [...] # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") [...]
– Create a template file where we will create a new custom log format under the /etc/rsyslog.d/ directory
[root@logserver ~]# vi /etc/rsyslog.d/tmpl.conf
– Add the following lines:
$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log" $template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log" authpriv.* ?TmplAuth *.info;mail.none;authpriv.none;cron.none ?TmplMsg
– Save and close the file.
Allow Rsyslog default port 514 on your firewall. The following commands will open this port via UFW.
[root@logserver ~]# sudo ufw allow 514/tcp [root@logserver ~]# sudo ufw allow 514/udp
– Restart UFW service to take effect the changes.
[root@logserver ~]# sudo ufw reload
– Finally reload the Rsyslog Service using the following command
[root@logserver ~]# systemctl restart rsyslog
Client configuration
– Backup the rsyslog file configuration
[root@server01 ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.orig
– Open the rsyslog file configuration
[root@server01 ~]# vi /etc/rsyslog.conf
– Under ##RULES## directive section, add the following line:
[...] ##RULES## *.* @192.168.1.200:514 [...]
– Finally reload the Rsyslog Service using the following command
[root@server01 ~]# systemctl restart rsyslog
– Let’s log the message to standard error (screen), as well as the system log by using the following command:
[root@server01 ~]# logger -s " This is my Rsyslog client "
– Now go to the Rsyslog Server under the direcotry /var/log/Client_logs you should see a new folder named with the hostname of your Rsyslog client:
[root@logserver ~]# ls -l /var/log/client_logs/server01/ total 12 -rw-r----- 1 syslog adm 43 Jun 13 20:39 root.log -rw-r----- 1 syslog adm 307 Jun 13 20:34 su.log -rw-r----- 1 syslog adm 82 Jun 13 20:34 unix_chkpwd.log
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
22 comments
Donde hacés la llamada a tmpl.conf?
Hi Fernandez,
The /etc/rsyslog.conf is configured to include all config files under the directory rsyslog.d
# cat /etc/rsyslog.conf
[….]
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
[…]
Hi Lotfi Waderni
rsyslog is configured and working successfully but nowhere in any log client MAC address is not mentioned
Hi Srinivas,
It’s doesnt display the mac address, it just display the hostname or the ip address
How can I forward message from a specific log file with rsyslog client to remote rsyslog server? This log file is outside of the directory /var/log. What are the security logs to monitor in Ubuntu 16.04 ?
There are many articles online showing configuration to send all log files (*.*)
But, hardly any article that shows how to do it for application log files that are stored in directory other than /var/log
I have multiple applications running on a VM and needs to send the logs in addition to syslog and auth.log
How can we configure forwarding of logs via UDP for specific log files located at different locations in VM to centralized log server
Hi,
you can use the rsyslog to send logs of a specific application in a different directory:
1./ you need to create a rsylog log on the vlient vm under the directory /etc/rsyslog.d/
2./ create your custom log template using the module imfile, for example:
#variables required for non-syslog log file forwarding
$ModLoad imfile
$InputFileName /app/your-file.log
$InputFileTag your-tag
$InputFileStateFile your-tag
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFilePersistStateInterval 1000
local7.* @@remote-rsyslog-server:port
3./ Restart the rsyslog
it is not worked
Could you explain what doesn’t work
Sadly, it doesn’t run… I follow your tutorial, set same options but my client_logs folder on server stays empty( What am I doing wrong, how can i check that my logs are going to my server? Connection is ok according to ping.
Hi ARTEM,
Make sure that your rsyslog Server and client can comunicate without any problems in the Port 514/tcp and 514/udp, check your firewall settings.
Maybe this is a permission problem on the /var/log/client_logs folder? Modify the folder permissions with chmod and it will work, maybe. 😉
I’ve followed you tutorial and for some reasons i find my client_logs file empty. I checked the `cat /etc/services|grep 514` and found this:
shell 514/tcp cmd # no passwords used
syslog 514/udp
syslog-tls 6514/tcp # Syslog over TLS [RFC5425]
What am i doing wrong?
Hi Salini,
Check the firewall, the client Rsyslog should communicate with Rsylog Server on the port 514 TCP/UDP
Hi, I configured as it is. even I can ping (nc -zv command) from my client machine to log server over port 514. I am not seeing the folders created under /var/log. How to debug?
Hi,
if the Client_logs folder doesn’t created automaticaly then try to create it manually and restart the rsyslog daemon.
hi. i want to configure my config file to send the logs to EventLog Analyzer whitch is installed on my windows machine. but i have no idea how to do it. could you help me please ?
To Forward Log to the EventLog Analyzer, you can configure the rsyslog on the clients to send logs by excuting the following steps:
Open the rsyslog file configuration
# vi /etc/rsyslog.conf
– Under ##RULES## directive section, add the following line:
[…]
##RULES##
*.* @Server_ip:514
[…]
– Restart the rsyslog daemon
# systemctl restart rsyslog
I have now my nginx logs on var/log/client_logs in my centralised server, now i want to send this logs from rsyslog to graylog, how can i do that?
Hi Joao,
you can use this addon to send nginx logs to Graylog: https://marketplace.graylog.org/addons/572ff823-62cc-468e-af17-300bcfd9932d
Hi, LOTFI WADERNI
Can you please suggest me regarding a Centralized Log Server for Windows Server Open source. Do Ubuntu Syslog Server can take windows Logs.
Hi,
Yes of course you can install rsyslog-ng, nxlog or another syslog client on your windows operating system.
If you are looking for an easy solution for Centralized Log Server you can install Loganalyzer:
Check out those links :
– How to Setup LogAnalyzer with Rsyslog On Ubuntu
– How to Forward Windows system Event logs to a Linux Syslog Server
Solution 2 : Install Graylog
– http://yallalabs.com/tag/graylog/
Good Luck.