It is very handy to store all your logs in one place, especially in the event of a crash on one of your machines – you can then do the detective work on why it crashed using another computer (that works). It is of course also easier to search for errors across your machines and similar tasks. This is why you need a log server – and today we’re installing one on a Debian 10 lxc container (but it could just as well be installed on a virtual or real machine).
I. Server side
We start off with checking that Rsyslog is running, as it should be installed with the distro.
systemctl status rsyslog
If it isn’t running, install, start and enable it.
apt install rsyslog systemctl start rsyslog systemctl enable rsyslog
Now we’re going to edit it’s configuration file, let’s first make a copy.
cp /etc/rsyslog.conf /etc/rsyslog.conf.old nano /etc/rsyslog.conf
Since we’re enabling both the faster (but unreliable) UDP protocol and the slower (but safer) TCP protocol on the server, we comment out these lines.
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514")
Now we describe how we want the logs to be stored by defining a template by adding the following.
# Everything should be logged in "/var/log/host/progname.log". $template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" # It should be formatted as: '[facility-level].[severity-level] ?RemoteLogs'. *.* ?RemoteLogs # Stop. & ~
Then we restart the service, install a firewall and define the needed rules.
systemctl restart rsyslog apt install ufw ufw enable ufw allow 514/tcp ufw allow 514/udp
And we’re done on the server, now it’s time to configure our computers to send their logs to our server.
II. Client side
It’s time we configure our clients, repeat these steps on all your computers and servers. First, we edit the configuration file.
If we say that the IP address of our server is 192.168.1.51 (change it to whatever IP address your server has) we add the following.
# Log everything on our server. *.* @@192.168.1.51:514
Finally restart Rsyslog and you’re done!
systemctl restart rsyslog