How To Install Rsyslog Log Server on Linux

In this tutorial, we are going to explain step by step how to install a Rsyslog log server on Linux systems.

What is Rsyslog?

Rsyslog (rocket-fast system for log) is a utility designed to offer high performance, excellent security features and a modular design that can be scaled to meet the needs of the company.

Rsyslog can accept inputs from a wide variety of sources, transform them and generate results for different destinations, optimizing IT management.

Install & Verify Status of Rsyslog

The Rsyslog daemon is installed automatically in most Linux distributions, but if not, we must execute the following commands:

In Debian systems

sudo apt-get install Rsyslog

On RedHat or CentOS systems

sudo yum install Rsyslog

We can verify the current status of Rsyslog by running the next line:

On Linux distributions that use Systemd

systemctl status rsyslog.service

In old versions of Linux

service rsyslog status
/etc/init.d/rsyslog status

In case the status of the Rsyslog service is inactive, we can start it by executing the following:

New versions of Linux

systemctl start rsyslog.service

Od versions of Linux

service rsyslog start
/etc/init.d/rsyslog start

Configure Rsyslog

To configure a rsyslog program to be run in server mode, we must edit the configuration file in the /etc/rsyslog.conf directory.

We can access using the desired editor:

sudo nano /etc/rsyslog.conf

There we will make the following changes. Locate and uncomment, removing the sign (#), from the following lines to allow the reception of UDP registration messages on port 514. By default, the UDP port is used by syslog to send and receive messages:

$ModLoad imudp
$UDPServerRun 514

The UDP protocol is not reliable for exchanging data over a network, so we can configure Rsyslog to send log messages to a remote server through the TCP protocol. To enable the TCP reception protocol, we will eliminate the following lines:

$ModLoad imtcp
$InputTCPServerRun 514

This will allow the rsyslog daemon to bind and listen on a TCP socket on port 514.

Both protocols can be enabled in rsyslog to run simultaneously on Linux.

If it is necessary to specify which senders are allowed access to the rsyslog daemon, we must add the following lines:

$AllowedSender TCP,,, *

At this point, it will be required to create a new template which will be analyzed by rsyslog daemon before receiving the incoming records.

This template should tell the local Rsyslog server where to store the incoming log messages. This template will go after the $ AllowedSender line:

$template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?Incoming-logs
& ~

To register only the messages generated by kern, we will add the following. With the above, the received records are analyzed by the template and will be stored in the local file system in the / var/log / directory, in the path:% HOSTNAME% and% PROGRAMNAME%.

kern.* ?Incoming-logs

Save the changes using the following key combination Ctrl + O and exit the editor using Ctrl + X.

Restart-Service & verify Rsyslog Ports

When we make some change we must restart the service by executing one of the following options:

sudo service rsyslog restart
sudo systemctl restart Rsyslog

To check the ports used by Rsyslog, we will run the following:

sudo netstat –tulpn | grep rsyslog

As we have indicated, the port handled will be 514, we must enable it in the firewall for use with the following lines.

On RedHat and CentOS

firewall-cmd --permanent --add-port=514/tcp
firewall-cmd –reload

On Debian

ufw allow 514/tcp
ufw allow 514/udp

If we use IPTables:

iptables -A INPUT -p tcp -m tcp --dport 514 -j ACCEPT
iptables -A INPUT -p udp --dport 514 -j ACCEPT

In this way, we have installed Rsyslog in Linux for the management of the various types of records that are generated continuously in it.

It might be interesting

iPhone Offers with is currently offering iPhone 3GS with a free SIM for just £900.

Presentation of iPhone 13, iPad 2021 and iPad mini, Apple Watch 7 and other new products

September 14, 2021 was Apple's traditional fall event. In this brief review I will tell you about all the software and hardware innovations.

Lycos To Relaunch Search Services In Europe, For Whatever Reason

Have you heard of Lycos? Well they are not dead yet and they seem to be rising again like a phoenix. the search engine and web portal has announced that it got back its license to use the trademarked brand names “Lycos”and “Hotbot” within the Europe.

Fractal Design introduced the Torrent Compact and Nano with good ventilation

Fractal Design announced Torrent Compact and Torrent Nano gaming cases. The new products are designed to provide efficient air cooling.