If you’re managing multiple Linux systems, consolidating logs from different servers into one place can drastically improve your ability to troubleshoot, audit, and monitor your infrastructure. Centralized logging using Rsyslog is one of the most efficient ways to achieve this.
In this blog post, we’ll configure loghost to receive logs from web01 using TCP port 514, structure incoming logs by source and service, and confirm that everything works properly.
- Prerequisites
- Step 1: Preparing
loghost(The Logging Receiver) - Step 2: Configuring web01 (The Logging Sender)
- Step 3: Verify Logs on loghost
- Conclusion
Prerequisites
To follow this setup, you’ll need:
- Two Linux machines with Rsyslog installed (commonly pre-installed).
- Sudo/root access on both.
- Basic networking between the machines.
In this example:
loghostis the server that will collect logs.web01is the server that will send logs tologhost.
Step 1: Preparing loghost (The Logging Receiver)
Verify Rsyslog Installation
Check that Rsyslog is installed on loghost:
rsyslogd -v
You should see version output. If not, install it using your distro’s package manager.
Confirm the Service Is Running
Ensure Rsyslog is active:
systemctl status rsyslog
If it isn’t running, start it:
sudo systemctl start rsyslog
Get the IP Address of loghost
You’ll need this for configuration on web01:
hostname -I
Save the IP address for later.
Enable TCP Log Reception
Edit the main configuration file on loghost:
sudo vi /etc/rsyslog.conf
Uncomment the following lines under the TCP section:
module(load="imtcp")
input(type="imtcp" port="514")
This enables Rsyslog to receive logs over TCP on port 514.
Define a Custom Log Template
Still in the config file, add this at the top:
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& stop
This stores logs in folders named after the sending host and log-generating program.
Open Port 514 in the Firewall
Allow TCP traffic on port 514:
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload
Restart Rsyslog
Apply your changes:
sudo systemctl restart rsyslog
Confirm It’s Listening on TCP
Verify that Rsyslog is listening:
sudo ss -tulnp | grep 514
You should see a line indicating TCP port 514 is open and used by rsyslogd.
Step 2: Configuring web01 (The Logging Sender)
Verify Rsyslog Is Installed
Check on web01:
rsyslogd -v
Confirm version output.
Edit the Rsyslog Rule File
On web01, edit the rule file:
sudo nano /etc/rsyslog.d/50-default.conf
Add the following line to forward all logs to loghost:
*.* @@loghost.lan:514
Replace loghost.lan with the IP address of your logging server if DNS isn’t set up.
The @@ indicates TCP should be used for log forwarding.
Restart Rsyslog on web01
Apply the change:
sudo systemctl restart rsyslog
Send a Test Message
Use the logger command to generate a test log:
logger "Hello from web01"
Step 3: Verify Logs on loghost
On the loghost, check that logs from web01 are received:
ls /var/log/web01/
You should see log files categorized by service, e.g., syslog.log, user.log.
Tail the user log to verify:
sudo tail /var/log/web01/user.log
You should see the message: Hello from web01.
Send another test message:
logger "Second test from web01"
Tail the log again to see the new entry:
sudo tail /var/log/web01/user.log
Conclusion
We’ve successfully set up centralized logging using Rsyslog with loghost receiving logs from web01. This approach is scalable, easy to manage, and lays the groundwork for deeper log analysis or integration with tools like Logwatch, Splunk, or the ELK stack.
Structured logs make your infrastructure easier to audit and debug. With this simple configuration, your logging is no longer fragmented—it’s unified and accessible.
📝 For more information about rsyslog, please review its man page .
