Networking

How to install and configure rsyslog for a centralized Linux log server

Tired of having to log into individual Linux machines to read through log files? Here's how to set up a centralized Linux log file server with the help of rsyslog.

How many Linux machines do you administer? If that number is significant, and those machines are all on the same network, do you get tired of having to secure shell into each machine to view individual log files? What if you could configure all of those Linux machines to send their log files to a centralized server? With Linux (and rsyslog), this is not only possible, it's incredibly easy.

I'm going to show you how to do just that. I'll be demonstrating on Ubuntu Server 16.04 machines, but the process is the same (with only a slight moderation in how the software is installed) on every distribution.

I will assume you have access to all the machines you need to configure and that you have one Linux server to stand as a dedicated log file device. With that said, let's get this system up and running.

Installation

Chances are, rsyslog is already installed on your machine. You can find out by issuing the command less /etc/rsyslog.conf. If you see the contents of the rsyslog configuration file, you're good to go. If not, the software can be installed with the command sudo apt install rsyslog.

That's all there is to the installation. You'll want to be sure that rsyslog is installed on both the centralized server and all clients that will be sending their log files.

SEE: Server deployment/migration checklist (TechRepublic)

Configuration—server

You must configure the server and the clients differently. First I'll show you how to configure the server. Log into that machine and open up a terminal window. Issue the command sudo nano /etc/rsyslog.conf. Locate the following two lines and uncomment them (by removing the # characters):

#module(load="imudp")
​#input(type="imudp" port="514")

Do the same thing for the next two lines:

#module(load="imtcp")
​#input(type="imtcp" port="514")

That's all there is the configuration on the server. Save and close that file. Restart rsyslog with the command:

sudo systemctl restart rsyslog

Configuration—client

Now we're going to configure the clients, such that they'll send their logs to the centralized server. To do this, first open up the configuration file with the command sudo nano /etc/rsyslog.conf. Scroll to the bottom of that file and add the line:

*.* @@SERVER:514

Where SERVER is the IP address of your centralized log file server.

Save and close that file. Now, create a new file with the command sudo nano /etc/rsyslog.d/10-rsyslog.conf. In that file, add the following contents:

*.* @@ADDRESS:514

Where ADDRESS is the IP address of your centralized log file server.

Restart rsyslog with the command sudo systemctl restart rsyslog.

Viewing logs

At this point, rsyslog clients are sending their log file entries to your server. If you open up one of the files in /var/log, you will see entries that start with the hostname of your client machines (Figure A).

Figure A

Figure A

UBUNTUSERVERVM seeing entries to syslog from UBUNTUSERVER.

Log files made more manageable

You no longer have to remote into each of your Linux servers to read log files. Instead, log into that centralized server and view your log entries, for each configured Linux client, in one convenient location. That's log files made more manageable.

Also see

linuxhero.jpg
Image: Jack Wallen

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox