Yurii DevSecOps Blog | Easy logging to Centralized storage with rsyslog

First of all you will need rsyslog installed on your system. Most of linux distributions already have one installed.

NOTE: every command in this tutorial must be executed under root or sudo user

Installation step for both Centralized server and every client

Command for RedHat-based distros:

yum install rsyslog

Command for Debian-based distros:

apt-get install rsyslog

Next step is for Centralized log storage server (receiver)

Open /etc/rsyslog.conf in any text editor and modify lines in the file so it looks like that:

# provides UDP syslog reception  
$ModLoad imudp  
$UDPServerRun 514

# provides TCP syslog reception  
$ModLoad imtcp  
$InputTCPServerRun 514

After you uncommented TCP and UDP related lines you can also create a file 10-remote-templates.conf in /etc/rsyslog.d if you want to store incoming data in separate files because by default you will have all received data in the same files as storage host’s rsyslog is using.

/etc/rsyslog.d/10-remote-templates.conf contents:

# Log remote hosts to separate log file  
$template PerHostLog,&#8221;/var/log/remote-hosts/%HOSTNAME%.log&#8221;  
$template RemoteHostFileFormat,&#8221;%TIMESTAMP% %HOSTNAME% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%\n&#8221;  
:inputname, isequal, &#8220;imudp&#8221; ?PerHostLog;RemoteHostFileFormat  
& ~

As you can see it saves everyting underneath /var/log/remote-hosts/ directory. It is paring UDP stream only.

Client configuration

For UDP stream create file 10-remote-send.conf in /etc/rsyslog.d with following contents:

# Remote log send

\*.\*                      @centralHostnameOrIP:514

For TCP file contents must be like this (just add extra @):

# Remote log send

\*.\*                      @@centralHostnameOrIP:514

This is it. That’s how easy it is.

The last thing – Do not forget to restart rsyslog after changes

Restart rsyslog on Central Log server and then on every client server like this:

service rsyslog restart

systemctl restart rsyslog

After couple minutes you must see something like this on your Central server:

Console output

Easy logging to Centralized storage with rsyslog

Installation step for both Centralized server and every client

Next step is for Centralized log storage server (receiver)

Client configuration

The last thing – Do not forget to restart rsyslog after changes

Thanks for reading. You can ask questions below.