How to Setup Rsyslog Server on Debian 11
This tutorial exists for these OS versions
- Debian 12 (Bookworm)
- Debian 11 (Bullseye)
- Debian 9 (Stretch)
On this page
Rsyslog is a free and open-source logging software that forwards all log files to the centralized log server through the IP network. It helps system administrators to keep an eye on all servers from the central point. Rsyslog works in a client/server model, it receives logs from the remote client on port 514 over the TCP/UDP protocol.
In this post, we will show you how to set up the Rsyslog server on Debian 11.
Prerequisites
- Two servers running Debian 11.
- A root password is configured on the server.
Install Rsyslog
First, you will need to install the Rsyslog server package on the server machine. You can install it using the following command:
apt-get install rsyslog -y
After the installation, verify the Rsyslog status using the following command:
systemctl status rsyslog
You should see the following output:
? rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-10-03 13:35:32 UTC; 1h 44min ago
TriggeredBy: ? syslog.socket
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 283 (rsyslogd)
Tasks: 4 (limit: 2341)
Memory: 5.0M
CPU: 90ms
CGroup: /system.slice/rsyslog.service
??283 /usr/sbin/rsyslogd -n -iNONE
Oct 03 13:35:32 debian11 systemd[1]: Starting System Logging Service...
Oct 03 13:35:32 debian11 rsyslogd[283]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2102.0]
Oct 03 13:35:32 debian11 rsyslogd[283]: [origin software="rsyslogd" swVersion="8.2102.0" x-pid="283" x-info="https://www.rsyslog.com"] start
Oct 03 13:35:32 debian11 systemd[1]: Started System Logging Service.
Oct 03 13:35:34 debian11 systemd[1]: rsyslog.service: Sent signal SIGHUP to main process 283 (rsyslogd) on client request.
Oct 03 13:45:33 debian11 rsyslogd[283]: [origin software="rsyslogd" swVersion="8.2102.0" x-pid="283" x-info="https://www.rsyslog.com"] rsyslog>
Configure Rsyslog
Next, you will need to configure Rsyslog to run in server mode. You can do it by editing the Rsyslog main configuration file:
nano /etc/rsyslog.conf
Uncomment the following lines:
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514")
Next, add the following lines to define the template to store incoming log from client systems:
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?remote-incoming-logs
Save and close the file then restart the Rsyslog service to apply the changes:
systemctl restart rsyslog
At this point, Rsyslog is started and listens on port 514. You can check it using the following command:
ss -tunlp | grep 514
You should see the following output:
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=26276,fd=6))
udp UNCONN 0 0 [::]:514 [::]:* users:(("rsyslogd",pid=26276,fd=7))
tcp LISTEN 0 25 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=26276,fd=8))
tcp LISTEN 0 25 [::]:514 [::]:* users:(("rsyslogd",pid=26276,fd=9))
Configure Firewall for Rsyslog
Next, you will need to allow port 514 through the UFW firewall. You can allow it with the following command:
ufw allow 514/tcp
ufw allow 514/udp
Next, reload the firewall to apply the changes:
ufw reload
Configure Rsyslog Client
Next, you will need to configure the Rsyslog client to send the log files to the Rsyslog server. You can do it by editing the Rsyslog main configuration file.
nano /etc/rsyslog.conf
Add the following lines at the end of the file:
#Enable sending system logs over UDP to rsyslog server *.* @rsyslog-server-ip:514 #Enable sending system logs over TCP to rsyslog server *.* @@rsyslog-server-ip:514
Also, add the following lines to set disk queue when rsyslog server will be down:
$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
Save and close the file then restart the Rsyslog service to apply the changes:
systemctl restart rsyslog
Verify Client's Log File
All client's log files are stored in the /var/log directory on the server machine.
You can check it with the following command:
ls -l /var/log/
You should see the client's log file that corresponds to the hostname of the client system:
alternatives.log auth.log.2.gz daemon.log debian11 dpkg.log kern.log.1 messages.1 private syslog.3.gz clientpc auth.log.3.gz daemon.log.1 debug dpkg.log.1 kern.log.2.gz messages.2.gz runit syslog.4.gz apt btmp daemon.log.3.gz debug.2.gz icinga2 kern.log.4.gz messages.4.gz syslog auth.log.1 csm.log dbconfig-common debug.4.gz kern.log messages ntpstats syslog.2.gz
As you can see, clientpc is the log directory of the client's system.
Conclusion
In the above guide, we explained how to set up the Rsyslog server and client on Debian 11. You can now monitor your clients from the central location. Feel free to ask me if you have any questions.
