Central logging with Rsyslog08. Mar '16

Introduction

Nowadays it's not realistic to observe logs on different machines manually. Instead log messages should be collected at a central logging server and not stored on individual servers at all to reduce disk space usage and disk writes.

Server configuration

Install rsyslog daemon:

apt-get install rsyslog

Create /etc/rsyslog.d/server.conf with following content:

# Provide UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provide TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

# Use custom filenaming scheme
$template FILENAME,"/var/log/remote/%HOSTNAME%.log"
*.* ?FILENAME

$PreserveFQDN on

Restart service:

service rsyslog restart

Make sure your network equipment of server firewall won't filter TCP 514 traffic.

Workstation configuration

Again, install rsyslog daemon:

apt-get install rsyslog

Create /etc/rsyslog.d/client.conf and substitute 1.2.3.4 with your log server IP-aadress:

$PreserveFQDN on
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
*.* @@1.2.3.4:514

Such configuration makes sure no messages will be lost due to network glitches or reboots.

Finally restart the service:

service rsyslog restart

Testing

On server leave following running:

tail -f /var/log/remote/*.log

On workstation:

logger -s "Hello world"
rsyslog syslog