How to Set Up a Centralized Rsyslog Server on Ubuntu 20.04
Managing system logs across multiple servers is a significant challenge for any system administrator. Without a centralized system, troubleshooting issues, monitoring security events, and performing audits becomes a time-consuming and inefficient process. Fortunately, Ubuntu 20.04 comes with a powerful tool to solve this exact problem: Rsyslog.
Rsyslog is a high-performance, open-source utility for log processing. By configuring it correctly, you can create a central log server that collects, organizes, and stores logs from all your other machines (clients). This guide will walk you through the complete process of setting up an Rsyslog server and client on Ubuntu 20.04 for effective centralized logging.
Prerequisites
Before we begin, ensure you have the following:
- Two servers running Ubuntu 20.04 (one for the server, one for the client).
- A user with
sudoor root privileges on both machines. - The private IP address of your designated log server.
Step 1: Install and Verify Rsyslog
Rsyslog is typically installed by default on most Ubuntu 20.04 systems. However, it’s good practice to confirm its presence and ensure it’s up to date.
First, run the update command on both the server and client machines:
sudo apt update
Next, install Rsyslog. If it’s already installed, this command will confirm it.
sudo apt install rsyslog
Once installed, you can check the status of the Rsyslog service to ensure it’s active and running without errors:
sudo systemctl status rsyslog
You should see an “active (running)” status, indicating that the service is operating correctly.
Step 2: Configure the Central Rsyslog Server
The next step is to configure your designated server to receive logs from remote clients. This involves editing the main Rsyslog configuration file.
The primary configuration file is located at /etc/rsyslog.conf. While you can edit this file directly, it’s often better to create separate configuration files in the /etc/rsyslog.d/ directory to keep your custom settings organized. For this setup, we will modify the main file.
Enable Log Reception
Open the configuration file with a text editor like nano:
sudo nano /etc/rsyslog.conf
You need to tell Rsyslog to listen for incoming logs. Find the #### MODULES #### section. You will see lines for UDP and TCP reception that are commented out.
Uncomment the following lines to enable both UDP and TCP listening on port 514.
- UDP is faster but doesn’t guarantee message delivery.
- TCP is more reliable as it ensures logs arrive in order and are not lost. It is the recommended protocol for critical logs.
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
Create a Template for Remote Logs
To keep logs from remote clients organized and separate from the server’s local logs, it’s wise to create a template. This template will define how incoming logs are saved.
Add the following lines to the configuration file, just after the module section you just edited. This will create a rule that saves logs from remote machines into a specific directory, organized by the client’s hostname.
$template remote-logs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-logs
This configuration tells Rsyslog:
$template remote-logs,...: Defines a template namedremote-logsthat creates a log file path like/var/log/remote/client-hostname/sshd.log.*.* ?remote-logs: Applies this template to all incoming messages from any facility and priority level.
Save the file and exit the editor (Ctrl+X, Y, Enter in nano).
Configure the Firewall
To allow clients to connect to the Rsyslog server, you must open port 514 in the firewall. Since we enabled both UDP and TCP, we should allow both. If you are using UFW (Uncomplicated Firewall):
sudo ufw allow 514/tcp
sudo ufw allow 514/udp
sudo ufw reload
Finally, restart the Rsyslog service to apply all the changes:
sudo systemctl restart rsyslog
Your central log server is now ready to receive logs.
Step 3: Configure the Rsyslog Client
Now, you need to configure your client machine(s) to forward their logs to the central server. This process is straightforward.
On your client machine, create a new configuration file in the /etc/rsyslog.d/ directory. This is the best practice, as it avoids modifying the main rsyslog.conf file and makes your changes easy to manage.
sudo nano /etc/rsyslog.d/50-forward.conf
Add the following line to this file. This single line instructs the client to forward all logs (*.*) to your remote server via TCP.
*.* @@<SERVER_IP>:514
*.*: This selector stands for all facilities at all priority levels.@@: This indicates that logs should be sent over TCP. If you wanted to use UDP, you would use a single@.<SERVER_IP>: Replace this with the actual private IP address of your Rsyslog server.:514: The port number your server is listening on.
Save and close the file. Then, restart the Rsyslog service on the client to apply the new forwarding rule:
sudo systemctl restart rsyslog
Your client is now actively sending its logs to your central server. Repeat this step for any other clients you wish to monitor.
Step 4: Verify the Centralized Logging
After configuring both the server and client, you must verify that the system is working as expected.
On the Rsyslog server, check the /var/log/remote/ directory. You should see a new directory named after the hostname of your client machine.
ls -l /var/log/remote/
Inside that directory, you will find log files being populated by the client.
To perform a live test, go to your client machine and use the logger utility to generate a custom log message:
logger "This is a test message from my client machine."
Now, back on the server, you can check for this message. The logger utility typically logs to the user facility, so you can search for the message.
sudo grep "test message" /var/log/remote/<CLIENT_HOSTNAME>/*
If you see your test message, congratulations! You have successfully configured a robust centralized logging system.
Security and Best Practices
- Use TCP for Reliability: For any production environment, always prefer TCP over UDP to ensure no log messages are dropped during network congestion.
- Secure Log Transport with TLS: For sensitive environments, you should configure Rsyslog to use TLS encryption. This prevents log messages from being intercepted as they travel across the network.
- Implement Log Rotation: Centralized logs can grow very quickly. Ensure you have a
logrotatepolicy in place on the server to manage disk space by compressing and archiving old logs.
Source: https://kifarunix.com/setup-rsyslog-server-on-ubuntu-20-04/
