Setting up a Linux system as an Rsyslog server to receive and forward logs to multiple remote servers are as follows:
- Install Rsyslog:
- Open a terminal.
- Update the package lists:
sudo apt update
. - Install Rsyslog:
sudo apt install rsyslog
. - Start Rsyslog service:
sudo service rsyslog start
.
- Configure Rsyslog:
- Open the Rsyslog configuration file using a text editor (e.g.,
sudo nano /etc/rsyslog.conf
orsudo vi /etc/rsyslog.conf
). - Uncomment the following lines to enable UDP and TCP input modules:
- Open the Rsyslog configuration file using a text editor (e.g.,
module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="514")
Add a custom message template (you can use a different name if you prefer):
$template myFormat,"%timestamp% %hostname% %syslogtag%%msg%\n"
Forward logs to a remote server via UDP or TCP. Replace <remote server ip>
with the IP address of your remote server:
- For UDP:
*.* @<remote server ip>:5140 ;myFormat
Or for TCP:
*.* @@<remote server ip>:5140 ;myFormat
If you want to add more remote servers (in my case I want to forward to 3 different servers with IP 192.168.10.111, 192.168.10.112, and 192.168.10.113), you may add multiple lines based from the above, for example:
#$template myFormat,"%timestamp% %hostname% CEF:%msg%\n"
$template myFormat,"%timestamp% %hostname% %syslogtag%%msg%\n"
# Filter rule to match a specific hostname and forward logs via TCP
# Forward only traffic event logs to remote devices
if $syslogtag contains 'CEF' then {
*.* @@192.168.10.111:5140;myFormat
*.* @@192.168.10.112:5140;myFormat
*.* @@192.168.10.113:5140;myFormat
}
Save the file and exit the text editor.
Configure Firewall Rules:
- If you have a firewall enabled, allow incoming traffic on port 514 for TCP and UDP. The specific procedure may vary depending on the firewall you are using. For example, using iptables:
- To allow TCP traffic on port 514:
sudo iptables -A INPUT -p tcp --dport 514 -j ACCEPT
To allow UDP traffic on port 514:
sudo iptables -A INPUT -p udp --dport 514 -j ACCEPT
- Restart Rsyslog:
- To apply the changes, restart the Rsyslog service:
sudo service rsyslog restart
or
sudo systemctl restart rsyslog
- Verify Rsyslog Configuration:
- Check if Rsyslog is properly configured to receive logs and listen on port 514:
sudo netstat -tuln | grep 514
If configured correctly, you should see output similar to:
udp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
- Verify Date & Time Synchronization:
- Ensure that the date and time on your Rsyslog server are synchronized with a reliable time source. This is important for accurate timestamping of log messages.
Following these steps should set up your Linux system as an Rsyslog server capable of receiving and forwarding logs to multiple remote servers. Make sure to adjust firewall rules and network configurations according to your specific environment and security requirements.
The complete configuration file will be as follows:
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
# Other Rsyslog configuration settings...
#
# # Forward logs to remote server via UDP
#*.* @remote-server:514
#
#$ModLoad imtcp
#$InputTCPServerRun 5140
#$template myFormat,"%timestamp% %hostname% %syslogfacility-text% %syslogseverity-text% [%syslogtag%] %msg%\n"
#
#$template myFormat,"%timestamp% %hostname% CEF:%msg%\n"
$template myFormat,"%timestamp% %hostname% %syslogtag%%msg%\n"
# Filter rule to match a specific hostname and forward logs via TCP
# Forward only traffic event logs to remote devices
if $syslogtag contains 'CEF' then {
*.* @@192.168.10.111:5140;myFormat
*.* @@192.168.10.112:5140;myFormat
*.* @@192.168.10.113:5140;myFormat
}