How many Linux machines do you administer? If that number is significant, and those machines are all on the same network, do you get tired of having to secure shell into each machine to view individual log files? What if you could configure all of those Linux machines to send their log files to a centralized server? With Linux (and rsyslog), this is not only possible, it’s incredibly easy.
I’m going to show you how to do just that. I’ll be demonstrating on Ubuntu Server 16.04 machines, but the process is the same (with only a slight moderation in how the software is installed) on every distribution.
I will assume you have access to all the machines you need to configure and that you have one Linux server to stand as a dedicated log file device. With that said, let’s get this system up and running.
Chances are, rsyslog is already installed on your machine. You can find out by issuing the command less /etc/rsyslog.conf. If you see the contents of the rsyslog configuration file, you’re good to go. If not, the software can be installed with the command sudo apt install rsyslog.
That’s all there is to the installation. You’ll want to be sure that rsyslog is installed on both the centralized server and all clients that will be sending their log files.
SEE: Server deployment/migration checklist (TechRepublic)
You must configure the server and the clients differently. First I’ll show you how to configure the server. Log into that machine and open up a terminal window. Issue the command sudo nano /etc/rsyslog.conf. Locate the following two lines and uncomment them (by removing the # characters):
Do the same thing for the next two lines:
That’s all there is the configuration on the server. Save and close that file. Restart rsyslog with the command:
sudo systemctl restart rsyslog
Now we’re going to configure the clients, such that they’ll send their logs to the centralized server. To do this, first open up the configuration file with the command sudo nano /etc/rsyslog.conf. Scroll to the bottom of that file and add the line:
Where SERVER is the IP address of your centralized log file server.
Save and close that file. Now, create a new file with the command sudo nano /etc/rsyslog.d/10-rsyslog.conf. In that file, add the following contents:
Where ADDRESS is the IP address of your centralized log file server.
Restart rsyslog with the command sudo systemctl restart rsyslog.
At this point, rsyslog clients are sending their log file entries to your server. If you open up one of the files in /var/log, you will see entries that start with the hostname of your client machines (Figure A).
Log files made more manageable
You no longer have to remote into each of your Linux servers to read log files. Instead, log into that centralized server and view your log entries, for each configured Linux client, in one convenient location. That’s log files made more manageable.