Hello, friends. In this post, we will talk a little about rsyslog on Debian 11. Besides that, we will show you how to install it and set it up, so you can work from the clients. Let’s get started.
What is rsyslog on Debian 11?
Quickly, we can say that rsyslog is a daemon that is in charge of collecting and centralizing the management of logs through client machines.
Usually, these logs are located in /var/logs/ but it works for almost any directory you specify in the configuration.
One of the striking things about rsyslog is that it is versatile and robust enough to be used in enterprise environments, but it is also so lightweight and simple that it can be used on small systems.
In addition to this, we can choose whether to store the data in a text file or in a database manager such as MariaDB. So, it is effortless to use it, and today we are going to show you how to do it.
Installing rsyslog on Debian 11 – Setting up the log server
Regarding the server, you can install the package from the official Debian 11 repositories. For this, once you have connected to the server via SSH, you can update it.
sudo apt update
sudo apt upgradeThereafter, you can install the package by running
sudo apt install rsyslogAs Rsyslog works on TCP and UDP port 514, you have to make sure that these ports are open in the firewall.
sudo ufw allow 514/tcp
sudo ufw allow 514/udpTo apply these changes, you have to restart the firewall.
sudo ufw reloadFinally, you have to check the status of the service by running
sudo systemctl status rsyslog
This way, we will know that rsyslog is installed and running. Now we need to configure it.
Configuring the rsyslog server
The main configuration of rsyslog resides in the /etc/rsyslog.conf file that we have to modify. It is always a good idea to keep a copy of the original before doing this.
sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.bakNow edit it
sudo nano /etc/rsyslog.confAnd the first thing we have to do, in this file, is to enable the ports where the application is going to work.
So at the beginning of the file, uncomment the following section.
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")
In addition to this, we have to define a template on how rsyslog will collect the logs of the clients. In this case, at the end of the file, add these two lines.
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logsWhere we are defining the remote-incoming-logs template and the logs will be stored in /var/log and to distinguish them we have to use the hostname and the name of the program that generates the log.
This is enough for now. You can save your changes.
To apply them, just restart the application service.
sudo systemctl restart rsyslogPerform the configuration on the clients
Rsyslog configuration on the clients is quite similar to the server. First, you have to install the package on your distribution.
Then, open TCP and UDP ports 514 on the firewall.
And in the rsyslog configuration file
sudo nano /etc/rsyslog.conf
Add at the end of the file the following line
*.* @rsyslog-ip-address:514
*.* @@rsyslog-ip-address:514Remember, you have to set the IP address of the Rsyslog server. The first line refers to UDP and the second to TCP.
In addition to this, you have to add the following information to the file.
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 2g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1These directives are options that we will set on the sending of the logs.
Save the changes and close the text editor.
To apply the changes, restart the service.
sudo systemctl restart rsyslogThis configuration is enough.
Conclusion
In this post, you learned how to configure rsyslog in Debian 11. So, you can centralize your logs and have a server where you can check them all.
I hope it helped you.
