How to Setup Rsyslog Remote Logging on Linux

Every Linux distribution comes with logging systems to record system activities, which helps during system troubleshooting. Rsyslog is an open-source, high-performance logging system available for major Linux distributions including Debian and Red Hat based systems. Compared to the traditional SYSLOG protocol, it offers additional features such as content-based filtering, TCP transport, and extensive configuration options. This article describes how to setup Rsyslog Remote Logging in simple steps.

Installation

If Rsyslog is not installed on your Linux system, install it using the following command −

$ sudo apt-get install rsyslog rsyslog-doc

The output should be like this −

Reading package lists... Done
Building dependency tree
Reading state information... Done
rsyslog is already the newest version.
The following NEW packages will be installed:
rsyslog-doc
0 upgraded, 1 newly installed, 0 to remove and 265 not upgraded.
Need to get 931 kB of archives.
After this operation, 1,828 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://in.archive.ubuntu.com/ubuntu/ trusty-updates/main rsyslog-doc all 7.4.4-1ubuntu2.6 [931 kB]
Fetched 931 kB in 1s (508 kB/s)
Selecting previously unselected package rsyslog-doc.
(Reading database ... 165966 files and directories currently installed.)
Preparing to unpack .../rsyslog-doc_7.4.4-1ubuntu2.6_all.deb ...
Unpacking rsyslog-doc (7.4.4-1ubuntu2.6) ...
Processing triggers for doc-base (0.10.5) ...
Processing 32 changed doc-base files, 1 added doc-base file...
Setting up rsyslog-doc (7.4.4-1ubuntu2.6) ...

Rsyslog configurations are stored in /etc/rsyslog.conf file and additional configuration files are under /etc/rsyslog.d/ directory.

Configuration Structure

The structure of Rsyslog configuration files consists of three main components −

Modules

Rsyslog has a modular architecture that enables functionality dynamically. The modules are categorized as −

• Input Modules − Used to gather messages from various sources

• Output Modules − Used to write messages to various destinations (files, sockets, etc.)

• Parser Modules − Used to parse message content

Configuration Directives

Configuration directives are instructions for Rsyslog. Each directive should be specified on a separate line starting with a dollar ($) symbol.

Rule Lines

Each rule line consists of two fields − a selector field and an action field. The selector field is further divided into facilities and priorities.

Sample Configuration

# MODULES
$ModLoad imuxsock
$ModLoad imklog

# DIRECTIVES
# Set the default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755

# RULES
mail.info                       /var/log/mail.info
mail.warn                       /var/log/mail.warn
mail.err                        /var/log/mail.err
daemon.*                        /var/log/daemon.log

Templates

Templates are an important feature of Rsyslog that allows users to log messages in a desired format. They can also create dynamic file names for logging messages based on various criteria.

Checking Rsyslog Configuration

Before checking the configuration, restart Rsyslog to apply changes −

$ sudo service rsyslog restart

Verify that Rsyslog is running −

$ ps -A | grep rsyslog

Sample output −

6738 ?        00:00:00 rsyslogd

Check the Rsyslog configuration syntax −

$ rsyslogd -N1

Sample output −

rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

Check system logs for Rsyslog errors −

$ sudo cat /var/log/messages | grep rsyslog

Testing with Sample Data

Verify Rsyslog is working by creating a test event −

$ logger "Tutorialspoint test message"

Check if the test event was recorded −

$ sudo cat /var/log/syslog | grep Tutorialspoint

Sample output −

Feb  4 11:25:54 linux tp: Tutorialspoint test message
Feb  4 11:32:25 linux tp: Tutorialspoint test message

Conclusion

Rsyslog provides a powerful and flexible logging solution for Linux systems with its modular architecture and extensive configuration options. Understanding its structure of modules, directives, and rule lines is essential for effective log management and system monitoring.