{"id":12015,"date":"2022-03-30T23:03:53","date_gmt":"2022-03-30T20:03:53","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12015"},"modified":"2024-03-09T10:30:47","modified_gmt":"2024-03-09T07:30:47","slug":"install-and-setup-rsyslog-server-on-ubuntu-22-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-rsyslog-server-on-ubuntu-22-04\/","title":{"rendered":"Install and Setup Rsyslog Server on Ubuntu 22.04"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install and setup rsyslog server on Ubuntu 22.04.&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.rsyslog.com\/\" target=\"_blank\">Rsyslog<\/a>&nbsp;is a multi-threaded implementation of syslogd (a system utility providing support for message logging), with features that include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>reliable syslog over TCP, SSL\/TLS and RELP<\/li>\n\n\n\n<li>on-demand disk buffering<\/li>\n\n\n\n<li>email alerting<\/li>\n\n\n\n<li>writing to MySQL or PostgreSQL databases (via separate output plugins)<\/li>\n\n\n\n<li>permitted sender lists<\/li>\n\n\n\n<li>filtering on any part of the syslog message<\/li>\n\n\n\n<li>on-the-wire message compression<\/li>\n\n\n\n<li>fine-grained output format control<\/li>\n\n\n\n<li>failover to backup destinations<\/li>\n\n\n\n<li>enterprise-class encrypted syslog relaying<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#install-and-setup-rsyslog-server-on-ubuntu\">Install and Setup Rsyslog Server on Ubuntu<\/a><ul><li><a href=\"#install-rsyslog-on-ubuntu-22-04\">Install Rsyslog on Ubuntu 22.04<\/a><\/li><li><a href=\"#setup-rsyslog-server-on-ubuntu-22-04\">Setup Rsyslog server on Ubuntu 22.04<\/a><\/li><li><a href=\"#define-rsyslog-server-protocol-and-port\">Define Rsyslog Server Protocol and Port<\/a><ul><li><a href=\"#allow-rsyslog-through-firewall\">Allow Rsyslog through Firewall<\/a><\/li><li><a href=\"#define-allowed-senders\">Define Allowed Senders<\/a><\/li><li><a href=\"#configure-rsyslog-template\">Configure Rsyslog Template<\/a><\/li><\/ul><\/li><li><a href=\"#configure-remote-rsyslog-client-to-forward-logs-rsyslog-server\">Configure Remote Rsyslog Client to Forward logs Rsyslog Server<\/a><ul><li><a href=\"#verify-remote-rsyslog-server-ports-connection\">Verify Remote Rsyslog Server Ports Connection<\/a><\/li><\/ul><\/li><li><a href=\"#verify-syslog-log-reception-on-rsyslog-server\">Verify Syslog Log Reception on Rsyslog Server<\/a><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install-and-setup-rsyslog-server-on-ubuntu\">Install and Setup Rsyslog Server on Ubuntu<\/h2>\n\n\n\n<p>Rsyslog can be configured in a client\/server model. <\/p>\n\n\n\n<p>When configured as a client, it sends logs to a remote server over the network via TCP\/UDP protocols. As a server, it receives logs over the network from remote client on port 514 TCP\/UDP or any custom port on which it is configured to listen on.<\/p>\n\n\n\n<p>Rsyslog filters syslog messages based on selected filters. You may want to check out our previous article on&nbsp;<a href=\"https:\/\/kifarunix.com\/howtos\/a-basic-introduction-to-rsyslog-filters\/\" target=\"_blank\" rel=\"noreferrer noopener\">basic introduction to rsyslog filters<\/a>.<\/p>\n\n\n\n<p>Are you using Debian 10? Check the link below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-rsyslog-server-on-debian-10\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and setup rsyslog server on Debian 10<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-rsyslog-on-ubuntu-22-04\">Install Rsyslog on Ubuntu 22.04<\/h3>\n\n\n\n<p>Rsyslog is the default syslogd on Debian systems and is usually installed on Ubuntu 22.04 by default.<\/p>\n\n\n\n<p>You can verify this by checking the version of installed rsyslog.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt list -a rsyslog<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Listing... Done\nrsyslog\/jammy,now 8.2112.0-2ubuntu2 amd64 &#91;installed,automatic]<\/code><\/pre>\n\n\n\n<p>If for any reasons it is not installed, run the command below to install it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo apt&nbsp;install&nbsp;rsyslog -y<\/code><\/pre>\n\n\n\n<p>Once the installation is done, start and enable the rsyslog service.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo systemctl enable --now rsyslog<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setup-rsyslog-server-on-ubuntu-22-04\">Setup Rsyslog server on Ubuntu 22.04<\/h3>\n\n\n\n<p>Rsyslog can be configured as client to sent logs to a central logging server or a server to receive and store logs from other systems.<\/p>\n\n\n\n<p>In this guide, we setup Rsyslog as a server on an Ubuntu 22.04 box.<\/p>\n\n\n\n<p>Open the ryslog configuration file for editing;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo vim \/etc\/rsyslog.conf<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"define-rsyslog-server-protocol-and-port\">Define Rsyslog Server Protocol and Port<\/h3>\n\n\n\n<p>To begin with, define the protocol and port you want to receive logs on.<\/p>\n\n\n\n<p>You can choose to use UDP or TCP and any port number of your choice.<\/p>\n\n\n\n<figure class=\"wp-block-pullquote td_quote_box td_box_center has-small-font-size\"><blockquote><p>Note that TCP syslog reception is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered.<\/p><\/blockquote><\/figure>\n\n\n\n<p>In this setup, we will configure Rsyslog to use both UDP and TCP protocols for logs reception over the ports 514 and 50514 respectively.<\/p>\n\n\n\n<p>By default UDP syslog is received on port 514\/UDP.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Thus, to enable UDP syslog reception:<\/li>\n<\/ul>\n\n\n\n<p>Within the&nbsp;<strong>\/etc\/rsyslog.conf<\/strong>&nbsp;configuration file, uncomment the lines for UDP syslog reception in the&nbsp;<strong>MODULES<\/strong>&nbsp;section as shown below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n#################\n#### MODULES ####\n#################\n...\n\n# provides UDP syslog reception\n<strong>module(load=\"imudp\")\ninput(type=\"imudp\" port=\"514\")<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable TCP syslog reception:<\/li>\n<\/ul>\n\n\n\n<p>TCP syslog may need to use a different port because often the RPC service is using port 514 as well.<\/p>\n\n\n\n<p>To set rsyslog to run on a different TCP port, say TCP port,&nbsp;<strong>50514<\/strong>, uncomment the TCP reception lines and change the port as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># provides TCP syslog reception\n<strong>module(load=\"imtcp\")<\/strong>\n<strong>input(type=\"imtcp\" port=\"50514\")<\/strong><\/code><\/pre>\n\n\n\n<p>Save and exit the file;<\/p>\n\n\n\n<p>Restart rsyslog service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart rsyslog<\/code><\/pre>\n\n\n\n<p>Verify that rsyslog is now listening on two ports;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ss -4altunp | grep 514<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>udp   UNCONN 0      0            0.0.0.0:514        0.0.0.0:*    users:((\"rsyslogd\",pid=3893,fd=5))       \ntcp   LISTEN 0      25           0.0.0.0:50514      0.0.0.0:*    users:((\"rsyslogd\",pid=3893,fd=7))<\/code><\/pre>\n\n\n\n<p><strong>You may notice that UDP port has no LISTEN state because it is connectionless and&nbsp;has no concept of \u201clistening\u201d, \u201cestablished\u201d, \u201cclosed\u201d, or anything like that.<\/strong><\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"allow-rsyslog-through-firewall\">Allow Rsyslog through Firewall<\/h5>\n\n\n\n<p>If firewall is running, open rsyslog through it.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ufw allow 514\/udp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ufw allow 50514\/tcp<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"define-allowed-senders\">Define Allowed Senders<\/h5>\n\n\n\n<p>You may also want to explicitly set the remote clients that are allowed to to send syslog messages to rsyslogd. To achieve this, you can set a global directive using the&nbsp;<strong>$AllowedSender<\/strong>&nbsp;directive.<\/p>\n\n\n\n<p>Allowed sender lists can be defined for UDP and TCP senders separately. The syntax to specify them is:<\/p>\n\n\n\n<p><code><strong>$AllowedSender [UDP\/TCP], ip[\/bits], ip[\/bits]<\/strong><\/code><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ip[\/bits]<\/strong>&nbsp;is a machine or network ip address as in \u201c192.0.2.0\/24\u201d or \u201c192.0.2.10\u201d. If the&nbsp;<strong>\/bits<\/strong>&nbsp;part is omitted, a single host is assumed. \u201c\/0\u201d is not allowed, because that would match any sending system.<\/li>\n\n\n\n<li><strong>Hostnames<\/strong>, with and without wildcards, may also be provided. If so, the result of revers DNS resolution is used for filtering.<\/li>\n\n\n\n<li>Multiple allowed senders can be specified in a comma-delimited list.<\/li>\n<\/ul>\n\n\n\n<p>It is good to specify senders with high traffic volume before those with lower volume.<\/p>\n\n\n\n<p>To allow specific hosts for either UDP or TCP logging, enter the following lines;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/rsyslog.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n###########################\n#### GLOBAL DIRECTIVES ####\n###########################\n# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd\n<strong>$AllowedSender UDP, 192.168.58.0\/24, [::1]\/128, *.example.net, servera.example.com\n$AllowedSender TCP, 192.168.59.0\/24, [::1]\/128, *.example.net, serverb.example.com<\/strong>\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The hostnames must be resolvable since before ACL is updated, they will be resolved into their individual IPs.<\/li>\n\n\n\n<li>Also note that the above directives only allow UDP reception from&nbsp;<strong>192.168.58.0\/24<\/strong>&nbsp;and TCP reception from&nbsp;<strong>192.168.59.0\/24<\/strong> networks.<\/li>\n<\/ul>\n\n\n\n<p>As much as allowing specific hosts via this directive, a good idea to impose allowed sender limitations via firewalling.<\/p>\n\n\n\n<p>For example, to allow hosts from the&nbsp;<strong>192.168.58.0\/24<\/strong>&nbsp;and&nbsp;<strong>192.168.59.0\/24<\/strong>&nbsp;networks;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow from <strong>192.168.58.0\/24<\/strong> to any port 514 proto udp\nufw allow from <strong>192.168.58.0\/24<\/strong> to any port 50514 proto tcp<\/code><\/pre>\n\n\n\n<pre id=\"block-4f7222eb-eebe-4b62-b1e4-29f91ff45f90\" class=\"wp-block-code\"><code>ufw allow from <strong>192.168.59.0\/24<\/strong> to any port 514 proto udp\nufw allow from <strong>192.168.59.0\/24<\/strong> to any port 50514 proto tcp<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"configure-rsyslog-template\">Configure Rsyslog Template<\/h5>\n\n\n\n<p>Templates are a key feature of rsyslog. Any output that is generated by rsyslog can be modified and formatted according to your needs with the use of templates.<\/p>\n\n\n\n<p>To create a template use the following syntax in&nbsp;<strong>\/etc\/rsyslog.conf<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$template <em>TEMPLATE_NAME<\/em>,\"<em>text %PROPERTY% more text<\/em>\", &#91;<em>OPTION<\/em>]<\/code><\/pre>\n\n\n\n<p>Thus, we can create our template like;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code># provides TCP syslog reception\nmodule(load=\"imtcp\")\ninput(type=\"imtcp\" port=\"50514\")\n\n#Custom template to generate the log filename dynamically based on the client's IP address.\n<strong>$template RemInputLogs, \"\/var\/log\/remotelogs\/%FROMHOST-IP%\/%PROGRAMNAME%.log\"<\/strong>\n<strong>*.* ?RemInputLogs<\/strong>\n<\/code><\/pre>\n\n\n\n<p>This will categorize logs received from remote host into log files for specific programs responsible for the generation of that log.<\/p>\n\n\n\n<p>Once you are done with configuration, save and exit the file;<\/p>\n\n\n\n<p>You can now restart the&nbsp;<code>rsyslog<\/code>&nbsp;service by running the command below. Before you can restart rsyslogd, run a configuration check.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo rsyslogd -f \/etc\/rsyslog.conf -N1<\/code><\/pre>\n\n\n\n<p>If all is well, proceed to restart rsyslog.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart rsyslog<\/code><\/pre>\n\n\n\n<p>Rsyslogd is now ready to receive logs from remote hosts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-remote-rsyslog-client-to-forward-logs-rsyslog-server\">Configure Remote Rsyslog Client to Forward logs Rsyslog Server<\/h3>\n\n\n\n<p>Now it is time to configure the remote client to send syslog messages to the remote syslog server. Login and proceed as follows.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-remote-rsyslog-server-ports-connection\">Verify Remote Rsyslog Server Ports Connection<\/h4>\n\n\n\n<p>To verify connectivity to remote rsyslog server TCP port 50514, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>telnet 192.168.59.38 50514<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 192.168.59.38...\nConnected to 192.168.59.38.\nEscape character is '^]'.\n^]\ntelnet&gt;<\/code><\/pre>\n\n\n\n<p>Verify connectivity to UDP port 514. Since you cannot telnet to UDP port 514, use netcat command. On the server, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nc -ul 514<\/code><\/pre>\n\n\n\n<p>On the client, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nc -u 192.168.59.38 514<\/code><\/pre>\n\n\n\n<p>Next, press ENTER and type anything. You should be able to see what you type on the server.<\/p>\n\n\n\n<p>If all is good, edit the client system rsyslog configuration file and configure it to push the logs to the syslog server;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/rsyslog.conf<\/code><\/pre>\n\n\n\n<p>For example, to send authentication logs over port 514\/UDP, add the following line at the end of the file. Note, this should be done from hosts under the&nbsp;<strong>192.168.57.0\/24<\/strong>&nbsp;as per the&nbsp;<strong><code>AllowedSender<\/code><\/strong>&nbsp;directive.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Send logs to remote syslog server over UDP\n<strong>auth,authpriv.* @192.168.59.38:514<\/strong><\/code><\/pre>\n\n\n\n<p>To send all logs over port 50514\/TCP, add the following line at the end of the file. Note, this should be done from hosts under the&nbsp;<strong>192.168.58.0\/24<\/strong>&nbsp;as per the AllowedSender directive.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Send logs to remote syslog server over TCP 50514\n<strong>*.* @@192.168.59.38:50514<\/strong><\/code><\/pre>\n\n\n\n<p>As a cushion just in case the remote rsyslog server goes down and your logs are so important you don\u2019t want to loose, set the rsyslog disk queue for buffering in the rsyslog configuration file as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Define Disk Queue Buffer in case the server goes down\n<strong>$ActionQueueFileName queue<\/strong> # define a file name for disk assistance.\n<strong>$ActionQueueMaxDiskSpace 1g<\/strong>  # The maximum size that all queue files together will use on disk.\n<strong>$ActionQueueSaveOnShutdown on<\/strong>  # specifies that data should be saved at shutdown\n<strong>$ActionQueueType LinkedList<\/strong>  # holds enqueued messages in memory which makes the process very fast.&nbsp;\n<strong>$ActionResumeRetryCount -1<\/strong>  # prevents rsyslog from dropping messages when retrying to connect if server is not responding,<\/code><\/pre>\n\n\n\n<p>Restart the rsyslog service on the client.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart rsyslog<\/code><\/pre>\n\n\n\n<p>You can now log out of the client and login again. The authentication logs should be available on rsyslog server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-syslog-log-reception-on-rsyslog-server\">Verify Syslog Log Reception on Rsyslog Server<\/h3>\n\n\n\n<p>Login to the Rsyslog server and verify the same.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ls -1 \/var\/log\/remotelogs\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>127.0.0.1\n192.168.58.35<\/code><\/pre>\n\n\n\n<p>In our case, we send only authentication logs to remote rsyslog server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ls -1 \/var\/log\/remotelogs\/192.168.58.35\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>CRON.log\nsshd.log\nsudo.log\nsu.log<\/code><\/pre>\n\n\n\n<p>And that is how simple it is to install and setup Rsyslog server on Ubuntu for central remote logging.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/forward-apache-logs-to-central-log-server-with-rsyslog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Forward Apache Logs to Central Log Server with Rsyslog<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-nxlog-to-forward-system-logs-to-rsyslog-server-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure NXLog to Forward System Logs to Rsyslog Server on Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install and setup rsyslog server on Ubuntu 22.04.&nbsp;Rsyslog&nbsp;is a multi-threaded implementation of syslogd (a system utility providing<\/p>\n","protected":false},"author":1,"featured_media":8502,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,191,39],"tags":[3317,4795,4802,4801,3316],"class_list":["post-12015","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-rsyslog","category-storage","tag-central-logging-with-rsyslog-on-ubuntu","tag-install-rsyslog-server-ubuntu-22-04","tag-rsyslog-server-tcp","tag-rsyslog-server-udp","tag-setup-rsyslog-server-on-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12015"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12015"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12015\/revisions"}],"predecessor-version":[{"id":20420,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12015\/revisions\/20420"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8502"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12015"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12015"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12015"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}