Angelo
Angelo
I am Angelo. A systems engineer passionate about Linux and all open-source software. Although here I'm just another member of the family.

Centralized log management by installing rsyslog on Debian 11!

Hello, friends. In this post, we will talk a little about rsyslog on Debian 11. Besides that, we will show you how to install it and set it up, so you can work from the clients. Let’s get started.

What is rsyslog on Debian 11?

Quickly, we can say that rsyslog is a daemon that is in charge of collecting and centralizing the management of logs through client machines.

Usually, these logs are located in /var/logs/ but it works for almost any directory you specify in the configuration.

One of the striking things about rsyslog is that it is versatile and robust enough to be used in enterprise environments, but it is also so lightweight and simple that it can be used on small systems.

In addition to this, we can choose whether to store the data in a text file or in a database manager such as MariaDB. So, it is effortless to use it, and today we are going to show you how to do it.

Installing rsyslog on Debian 11 – Setting up the log server

- Advertisement -

Regarding the server, you can install the package from the official Debian 11 repositories. For this, once you have connected to the server via SSH, you can update it.

sudo apt update
sudo apt upgrade

Thereafter, you can install the package by running

sudo apt install rsyslog

As Rsyslog works on TCP and UDP port 514, you have to make sure that these ports are open in the firewall.

- Advertisement -
sudo ufw allow 514/tcp
sudo ufw allow 514/udp

To apply these changes, you have to restart the firewall.

sudo ufw reload

Finally, you have to check the status of the service by running

sudo systemctl status rsyslog
1.- rsyslog on Debian 11
1.- rsyslog on Debian 11

This way, we will know that rsyslog is installed and running. Now we need to configure it.

Configuring the rsyslog server

The main configuration of rsyslog resides in the /etc/rsyslog.conf file that we have to modify. It is always a good idea to keep a copy of the original before doing this.

sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.bak

Now edit it

sudo nano /etc/rsyslog.conf

And the first thing we have to do, in this file, is to enable the ports where the application is going to work.

So at the beginning of the file, uncomment the following section.

module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="514")
2.- Configuring rsyslog on Debian 11
2.- Configuring rsyslog on Debian 11

In addition to this, we have to define a template on how rsyslog will collect the logs of the clients. In this case, at the end of the file, add these two lines.

$template remote-incoming-logs,"https://1118798822.rsc.cdn77.org/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs

Where we are defining the remote-incoming-logs template and the logs will be stored in /var/log and to distinguish them we have to use the hostname and the name of the program that generates the log.

This is enough for now. You can save your changes.

To apply them, just restart the application service.

sudo systemctl restart rsyslog

Perform the configuration on the clients

Rsyslog configuration on the clients is quite similar to the server. First, you have to install the package on your distribution.

Then, open TCP and UDP ports 514 on the firewall.

And in the rsyslog configuration file

sudo nano /etc/rsyslog.conf

Add at the end of the file the following line

*.* @rsyslog-ip-address:514
*.* @@rsyslog-ip-address:514

Remember, you have to set the IP address of the Rsyslog server. The first line refers to UDP and the second to TCP.

In addition to this, you have to add the following information to the file.

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 2g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

These directives are options that we will set on the sending of the logs.

Save the changes and close the text editor.

To apply the changes, restart the service.

sudo systemctl restart rsyslog

This configuration is enough.

Conclusion

In this post, you learned how to configure rsyslog in Debian 11. So, you can centralize your logs and have a server where you can check them all.

I hope it helped you.

Rsyslog documentation

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook