Skip to main content

Setting up a Logging Server

Summary

This is to setup a logging server to capture logs from any servers on your network.

Configuration

You will need to edit the file "/etc/rsyslog.conf"

Editing the file

vi /etc/rsyslog.conf

You will need to change to the following to allow port 514 to be open

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

Then simply restart the rsyslog deamon

systemctl restart rsyslog

Multi Host Logging to one server

vi /etc/rsyslog

Add the following 

Before this entry "#### RULES ####"

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 
. ?RemoteLogs

This will enable for all host/servers to log to their own folders

The entry should look like this

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

#custom
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~

#### RULES ####

The directive $template tells , rsyslog daemon to gather and write all of the received remote messages to seperate logs under /var/log, based on the hostname (client machine name) and remote client facility (program/application) that generated the messages as defined by the settings present in the template RemoteLogs. The second line “*.* ?RemoteLogs” means record messages from all facilities at all severity levels using the RemoteLogs template configuration. The third lines makes the append happen.

Setup Host Servers

This is what to setup on the servers you wish to log to one server

You must login to the server and then edit the following file

vi /etc/rsyslog.conf

Once opened you have to add at the end of the file the following to log everything

*.* @192.168.253.86:514   # use @ for UDP Protocal
*.* @@192.168.253.86:514   # use @@ for TCP Protocal

You can also setup specific logging by doing the following

auth.* @192.168.253.86:514   # only for authentication based records

 

 

 

Back to top