Skip to main content

Forwarding logs from rsyslog client to a remote rsyslogs server

Introduction

This guide will walk you through setting up Rsyslog for log forwarding between a client and a remote server using Linux.

 Prerequisites

 Software Requirements

    •  Linux operating system
    • Rsyslog (version 5.0 or higher recommended)
    • Root or sudo access

Network Requirements

    • Network connectivity between client and remote server
    • Known IP address of the remote Rsyslog server
    • Open network ports (typically 514 for UDP or TCP)

Step-by-Step Configuration Guide

Preparation
Before beginning, ensure you have:

    • Administrative (root) access
    • Stable network connection
    • IP address of the remote server

Step 1: Rsyslog Client Configuration

 1.1 Obtain Root Access

image.png

        • Enter your root password when prompted

 1.2 Update System Packages

image.png

 1.3 Install Rsyslog

image.png

Verification Tip Confirm Rsyslog is installed successfully

 1.4 Start and Enable Rsyslog Service


image.png






image.png

 1.5 Check Rsyslog Status

 

Expected Result:** Service should be in an active state

### Step 2: Rsyslog Server Configuration

#### 2.1 Edit Rsyslog Configuration
```bash
vim /etc/rsyslog.conf
```

#### 2.2 Enable UDP and TCP Modules
- Find and uncomment the following lines by removing the `#` symbol:
  ```
  $Modload imudp
  $UDPServerRun 514
  $Modload imtcp
  $inputTCPServerRun 514
  ```

#### 2.3 Configure Log Template
- Add the following line to define log storage:
  ```
  $template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
  *.* ?RemoteLogs
  & ~
  ```

#### 2.4 Apply Server Configuration
```bash
systemctl restart rsyslog
setenforce Permissive
systemctl disable firewalld
systemctl stop firewalld
```

### Step 3: Final Client Configuration

#### 3.1 Modify Client Rsyslog Configuration
```bash
vim /etc/rsyslog.conf
```

#### 3.2 Add Remote Server Logging Rule
- Insert the following line (replace `ServerIP` with actual IP):
  ```
  *.* @ServerIP:514
  ```

#### 3.3 Restart Rsyslog on Client
```bash
systemctl restart rsyslog
```

#### 3.4 Verify Log Directory
```bash
ls -l /var/log
```
**Expected Result:** 
- Should see a directory with the client's hostname
- Contains files like `rsyslogd.log` and `systemd.log`

## Troubleshooting Tips
- Ensure firewall settings allow log forwarding
- Verify network connectivity between client and server
- Check Rsyslog service status if logs aren't forwarding

## Security Considerations
- Configure firewall rules appropriately
- Use encrypted log transmission when possible
- Regularly review and rotate logs

## Common Issues
1. **Port Blocking:** Ensure port 514 is open
2. **Permission Errors:** Verify root/sudo access
3. **Network Connectivity:** Check server IP and network settings

## Recommended Best Practices
- Keep Rsyslog updated
- Use strong authentication
- Implement log rotation
- Encrypt log transmissions

## Conclusion
By following these steps, you should have successfully configured Rsyslog for log forwarding between a client and a remote server.

**Note:** Always test in a controlled environment first and adapt instructions to your specific system configuration.

Back to top