24 May 2025

Configuring Logging with Rsyslog

Configuring Logging with Rsyslog

In this blog post, we'll configure `loghost` to receive logs from `web01` using TCP port 514, structure incoming logs by source and service, and confirm that everything works properly.

If you’re managing multiple Linux systems, consolidating logs from different servers into one place can drastically improve your ability to troubleshoot, audit, and monitor your infrastructure. Centralized logging using Rsyslog is one of the most efficient ways to achieve this.

In this blog post, we’ll configure loghost to receive logs from web01 using TCP port 514, structure incoming logs by source and service, and confirm that everything works properly.



Prerequisites

To follow this setup, you’ll need:

  • Two Linux machines with Rsyslog installed (commonly pre-installed).
  • Sudo/root access on both.
  • Basic networking between the machines.

In this example:

  • loghost is the server that will collect logs.
  • web01 is the server that will send logs to loghost.


Step 1: Preparing loghost (The Logging Receiver)


Verify Rsyslog Installation

Check that Rsyslog is installed on loghost:

rsyslogd -v

You should see version output. If not, install it using your distro’s package manager.


Confirm the Service Is Running

Ensure Rsyslog is active:

systemctl status rsyslog

If it isn’t running, start it:

sudo systemctl start rsyslog


Get the IP Address of loghost

You’ll need this for configuration on web01:

hostname -I

Save the IP address for later.


Enable TCP Log Reception

Edit the main configuration file on loghost:

sudo vi /etc/rsyslog.conf

Uncomment the following lines under the TCP section:

module(load="imtcp")
input(type="imtcp" port="514")

This enables Rsyslog to receive logs over TCP on port 514.


Define a Custom Log Template

Still in the config file, add this at the top:

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& stop

This stores logs in folders named after the sending host and log-generating program.


Open Port 514 in the Firewall

Allow TCP traffic on port 514:

sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload


Restart Rsyslog

Apply your changes:

sudo systemctl restart rsyslog


Confirm It’s Listening on TCP

Verify that Rsyslog is listening:

sudo ss -tulnp | grep 514

You should see a line indicating TCP port 514 is open and used by rsyslogd.


Step 2: Configuring web01 (The Logging Sender)


Verify Rsyslog Is Installed

Check on web01:

rsyslogd -v

Confirm version output.


Edit the Rsyslog Rule File

On web01, edit the rule file:

sudo nano /etc/rsyslog.d/50-default.conf


Add the following line to forward all logs to loghost:

*.* @@loghost.lan:514

Replace loghost.lan with the IP address of your logging server if DNS isn’t set up.

The @@ indicates TCP should be used for log forwarding.


Restart Rsyslog on web01

Apply the change:

sudo systemctl restart rsyslog


Send a Test Message

Use the logger command to generate a test log:

logger "Hello from web01"


Step 3: Verify Logs on loghost

On the loghost, check that logs from web01 are received:

ls /var/log/web01/


You should see log files categorized by service, e.g., syslog.log, user.log.

Tail the user log to verify:

sudo tail /var/log/web01/user.log

You should see the message: Hello from web01.


Send another test message:

logger "Second test from web01"

Tail the log again to see the new entry:

sudo tail /var/log/web01/user.log


Conclusion

We’ve successfully set up centralized logging using Rsyslog with loghost receiving logs from web01. This approach is scalable, easy to manage, and lays the groundwork for deeper log analysis or integration with tools like Logwatch, Splunk, or the ELK stack.

Structured logs make your infrastructure easier to audit and debug. With this simple configuration, your logging is no longer fragmented—it’s unified and accessible.


📝 For more information about rsyslog, please review its man page .