How to Set Up Remote Logging on Linux Using rsyslog

Logging is a crucial side of Linux server administration. Log messages are helpful for root trigger evaluation and avoiding potential error occurrences sooner or later. Analyzing and debugging server errors is a core talent to have for each IT engineers and system directors.

This information will present you the best way to arrange a distant logging server, also called a log host, on Linux. A log host means that you can mixture native Linux logs to a distant centralized server for ease of entry and evaluation.

Why Have a Devoted Log Server?

The Linux working system logs most actions in your server for auditing and debugging utilizing the syslog (system logging protocol) daemon. So that you may be questioning, why do I want a devoted server for my logs? Listed below are some benefits to having a devoted logging server:

  • Higher safety as a result of the distant logging server solely has just a few ports open to the skin.
  • Improved server efficiency as a result of the distant logging host doesn’t run many companies, besides those used for logging.
  • Eases archiving and administration of log messages.

Log messages are essential for auditing your servers and base-lining and are a core a part of preventive upkeep procedures in your server infrastructure.

Step 1: Putting in rsyslog on Linux

This information focuses on Ubuntu 20.04, however the course of must be just about the identical in case you are utilizing different mainstream Linux distros.

rsyslog is a distant logging service for Linux and comes preinstalled by default on most fashionable Linux distros, for instance, Ubuntu and different Debian-based methods.


The rsyslog service is a contemporary and improved daemon to syslog, which solely means that you can handle logs regionally. With the rsyslog daemon, you possibly can ship your native logs to some configured distant Linux server.

If you happen to don’t have rsyslog put in in your PC, you possibly can simply achieve this utilizing the next command, on Debian-based distros:

sudo apt set up rsyslog

On Purple Hat Linux, you possibly can set up it by typing:

yum set up rsyslog

On Fedora and its derivatives, run:

dnf set up rsyslog

To put in rsyslog on Arch Linux:

yay -S rsyslog

To verify the standing of rsyslog, run the next command:

systemctl standing rsyslog



Step 2: Configuring the Log Host Server

The log host is the server configured to obtain log messages from different servers or PCs. The rsyslog configuration resides within the /and so on/rsyslog.conf file.

You may open the /and so on/rsyslog.conf file utilizing any textual content editor of your alternative. On this information, we’ll use Vim.

You will want elevated privileges to make modifications to the config file.

Earlier than you begin enhancing the config file, it’s best to take a backup or copy of the file. To take action, run the command:

sudo cp /and so on/rsyslog.conf /and so on/rsyslog_original.config

Subsequent, open the /and so on/rsyslog.conf file utilizing a textual content editor.

sudo vim /and so on/rsyslog.conf 

There are two protocols you should use for sending/receiving log recordsdata with rsyslog: TCP and UDP. This information exhibits you the best way to configure each.

You don’t want to configure each UDP and TCP for distant logging to work. Solely select one of many two.

If you happen to want to make use of UDP, search for and uncomment the next strains by eradicating the main Pound (#) image previous the strains. You will discover these strains beneath the modules part of the config file.

enter(sort="imudp" port="514")

If you happen to want to make use of TCP, then uncomment the next strains by eradicating the main Pound (#) image positioned initially of the strains:

enter(sort="imtcp" port="514")

The next determine exhibits the rsyslog configuration file configured to make use of UDP communication:


Subsequent, configure the placement the place rsyslog will retailer your logs. For higher group, it’s best to categorize incoming logs by their origin. Outline a template in your rsyslog config file by including the next strains:

$template remote-incoming-logs, "/var/log/distant/%HOSTNAME%".log
*.* ?remote-incoming-logs

The aforementioned strains command rsyslog to retailer the logs within the folder /var/log/distant/hostname, the place hostname is the title of the distant consumer that’s sending log messages to the log host.

Now, save the modifications you have made. In case you are utilizing Vim, right here is the best way to save and stop a file.

Lastly, restart the rsyslog companies for the modifications you have made to take impact.

sudo systemctl restart rsyslog

Step 3: Configuring Your Firewall

In case your firewall is enabled, make it possible for the port you’ve configured above is ready to talk with the skin world. You will have to edit your firewall guidelines to permit incoming logs.

For Debian-based distros, merely use the UFW device, to allow both the UDP or TCP switch protocol.

Associated: Configure the Firewall in Ubuntu Utilizing UFW

In case you are utilizing UDP, run the next command, the place 514 is the configured port quantity:

sudo ufw 514/udp

In case you are utilizing TCP on port 514, merely run:

sudo ufw 514/tcp

On Fedora, you should use firewall-cmd to realize comparable outcomes.

firewall-cmd --zone=zone --add-port=514/udp

For Purple Hat Linux, open the iptables file positioned at /and so on/sysconfig/iptables utilizing your textual content editor of alternative, and add the next rule:

-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

Restart the iptables service for the modifications to take impact.

service iptables restart

Step 4: Configuring the Logging Consumer

The consumer is the machine that sends its logs to a distant or centralized log host server. Open the rsyslog config file positioned at /and so on/rsyslog.conf:

sudo vim /and so on/rsyslog.conf

Add the next line in case you are utilizing UDP, the place is the IP tackle of the distant server, you may be writing your logs to:

*.* @

In case you are utilizing TCP, add the next line as a substitute. Word that the road has two @ symbols.

*.* @@

Save your modifications and restart the rsyslog service on the consumer with the command:

sudo systemctl restart rsyslog

Step 5: Viewing the Log Messages on the Server

You should utilize SSH to log in to your distant server and consider the logs despatched from the consumer servers. On this case, rsyslog is configured in order that it shops the consumer logs within the /var/log/distant listing of the distant server.

cd /var/logs/distant

Then listing the contents of the listing utilizing the ls command:

ls -l

As you possibly can see within the output, the listing comprises log messages for the distant servers named andiwa and rukuru. Their log recordsdata are named andiwa.log and rukuru.log respectively.


You may then take a look at the log recordsdata utilizing a textual content editor or with Linux file viewing instruments akin to cat or much less.

Distant Logging Offers You Extra Management

This information has checked out the best way to arrange a distant logging server (log host) on Linux.

A log host gives you higher group and management in the case of logging. Even in situations the place a system is broken or inaccessible, you possibly can nonetheless view its logs from the log host and work out what went unsuitable.

two computer monitors symbolising system logging

Getting Began With System Logging in Linux

Learn Subsequent

About The Writer

Leave a Comment