Set up a log server with Rsyslog on Debian 10

It is very handy to store all your logs in one place, especially in the event of a crash on one of your machines – you can then do the detective work on why it crashed using another computer (that works). It is of course also easier to search for errors across your machines and similar tasks. This is why you need a log server – and today we’re installing one on a Debian 10 lxc container (but it could just as well be installed on a virtual or real machine).

I. Server side

We start off with checking that Rsyslog is running, as it should be installed with the distro.

systemctl status rsyslog

If it isn’t running, install, start and enable it.

apt install rsyslog systemctl start rsyslog systemctl enable rsyslog

Now we’re going to edit it’s configuration file, let’s first make a copy.

cp /etc/rsyslog.conf /etc/rsyslog.conf.old nano /etc/rsyslog.conf

Since we’re enabling both the faster (but unreliable) UDP protocol and the slower (but safer) TCP protocol on the server, we comment out these lines.

# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514")
Code language: PHP (php)

Now we describe how we want the logs to be stored by defining a template by adding the following.

# Everything should be logged in "/var/log/host/progname.log". $template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" # It should be formatted as: '[facility-level].[severity-level] ?RemoteLogs'. *.* ?RemoteLogs # Stop. & ~
Code language: PHP (php)

Then we restart the service, install a firewall and define the needed rules.

systemctl restart rsyslog apt install ufw ufw enable ufw allow 514/tcp ufw allow 514/udp

And we’re done on the server, now it’s time to configure our computers to send their logs to our server.

II. Client side

It’s time we configure our clients, repeat these steps on all your computers and servers. First, we edit the configuration file.

nano /etc/rsyslog.conf

If we say that the IP address of our server is 192.168.1.51 (change it to whatever IP address your server has) we add the following.

# Log everything on our server. *.* @@192.168.1.51:514
Code language: PHP (php)

Finally restart Rsyslog and you’re done!

systemctl restart rsyslog