How to Setup Rsyslog Remote Logging on Linux

LinuxLinux AdminOperating System

Every Linux distribution comes with some logging systems to record system activities. This might be helpful during system troubleshooting. Rsyslog is an open source and is rocket-fast in terms of speed for system log process. It is available for several major Linux distributions including Debian and Red Hat based systems. Compared to SYSLOG protocol, It has several additional features such as content-based filtering of TCP for transporting and provides tons of configuration options. This article describes how to setup Rsyslog Remote Logging in simple steps.

Installation

If Rsyslog is not installed on your linux system, install using the following command −

$ sudo apt-get install rsyslog rsyslog-doc

The output should be like this −

Reading package lists... Done
Building dependency tree
Reading state information... Done
rsyslog is already the newest version.
The following NEW packages will be installed:
rsyslog-doc
0 upgraded, 1 newly installed, 0 to remove and 265 not upgraded.
Need to get 931 kB of archives.
After this operation, 1,828 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://in.archive.ubuntu.com/ubuntu/ trusty-updates/main rsyslog-doc all 7.4.4-1ubuntu2.6 [931 kB]
Fetched 931 kB in 1s (508 kB/s)
Selecting previously unselected package rsyslog-doc.
(Reading database ... 165966 files and directories currently installed.)
Preparing to unpack .../rsyslog-doc_7.4.4-1ubuntu2.6_all.deb ...
Unpacking rsyslog-doc (7.4.4-1ubuntu2.6) ...
Processing triggers for doc-base (0.10.5) ...
Processing 32 changed doc-base files, 1 added doc-base file...
Setting up rsyslog-doc (7.4.4-1ubuntu2.6) ...

Rsyslog configurations are stored in /etc/ryslog.conf file and the files will be under /etc/rsyslog.d/ directory.

Configuration Structure

The structure of Rsyslog configuration files are in the following manner −

  • Modules
  • Configuration Directives
  • Rule Line

Modules

Rsyslog has a modular architecture. It will enable functionality in a dynamic manner. The modules are categorized into the following manner −

  • Input Modules – Used to gather messages from various sources.
  • Output Modules – Used to write the messages to various places ( file, socket etc.. ).
  • Parser Modules – Used to parse the message content.

Configuration Directives

Configuration directives are the configuration instructions for Rsyslog. These should be specified only one per a line which starts with dollar ($) symbol.

Rule Line

Each Rule line consists of two fields, they are divided as selector field and an action field. Again the selector field is divided into two fields, it should be like this −

  • Facilities
  • Priorities

A Sample Configuration

MODULES
$ModLoad imuxsock
$ModLoad imklog
Directives
# Set the default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
RULES
mail.info/var/log/mail.info
mail.warn/var/log/mail.warn
mail.err/var/log/mail.err
daemon.*/var/log/daemon.log

Templates

It is the most important feature of Rsyslog which allows the user to log the messages in a desirable format. It can also be used to create dynamic file names to log the messages.

Check Rsyslog Configuration

Before checking Rsyslog configuration, make sure that you have restarted Rsyslog so that your changes can take immediate effect. To restart Rsyslog, use the following command −

$ sudo service rsyslog restart

Make sure Rsyslog is running. If this command returns nothing, then we can assume that, it is not running at all. Use the following command to check if the process is running –

$ ps -A | grep rsyslog

A sample output should be like this −

6738 ? 00:00:00 rsyslogd

Check the Rsyslog configuration, use the following command −

$ rsyslogd -N1

The sample output should be like this −

rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

Check Linux system logs for any Rsyslog errors. If there are errors you can find them in /var/log/messages. Some logs may also stored be in /var/log/syslog.

$ sudo cat /var/log/messages | grep rsyslog

Send Sample Data

Verify Rsyslog is sending data to logger by creating a test event. To send the data, use the following command –

$ logger Tutorialspoint

Check linux system logs to see if Rsyslog has recorded the test event, To verify it, use the following command –

$ sudo cat /var/log/syslog | grep Tutorialspoint

A sample output should be like this −

Feb 4 11:25:54 linux tp: Tutorialspoint
Feb 4 11:32:25 linux tp: Tutorialspoint

Congratulations! Now, you know “How to Setup Rsyslog Remote Logging” on Linux. We’ll learn more about these type of commands in our next Linux post. Keep reading!

raja
Published on 23-Jan-2020 11:25:03
Advertisements