Configuring Rsyslog

Setting up a syslog server to gather logs from diverse devices in your network is straightforward using Ubuntu Server. The integrated Rsyslog software allows you to easily configure it as a syslog client or server. Given that most network devices can transmit logs to an external server, configuring your Ubuntu server to function as a central log collection point is a swift process.

Rsyslog is already installed on most Linux Distributions, so it just needs to be configured for use. First, edit /etc/rsyslog.conf and uncomment the following lines to enable the server on TCP and UDP port 514 for incoming syslog messages.

module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="514")

Next, create /etc/rsyslog.d/30-custom.conf and detail rules for each host you want to collect logs for.

if $fromhost-ip startswith '192.168.17.4' then /var/log/network/192.168.17.4.log
& stop
if $fromhost-ip startswith '192.168.17.3' then /var/log/network/192.168.17.3.log
& stop

If you do not configure the above file with a specific IP address then all messages will be collect in the default log file /var/log/syslog. Change the permissions for the /var/log/network directory

mkdir /var/log/network
chown syslog:adm /var/log/network

Restart Rsyslog to apply the changes.

systemctl restart rsyslog