Installing Rsyslog Server on Debian

Controlling and managing log files in Linux-based operating systems are handled by the Rsyslog server, available by default on most versions of Linux. These files are stored in the /var/log path and serve an important role in the analysis and troubleshooting of system problems and the services which run on them.

In this guide, we will explain how to configure this service on the Debian operating system.

Rsyslog Service

Being capable of acting as both a client and a server, Rsyslog has the ability to send or receive log messages over TCP/UDP from other devices within the network, such as servers, routers, switches, or other devices which generate logs.

When configured in the server role, Rsyslog can listen on the standard TCP/UDP port 514 and collect log messages sent by other devices in the system. On the other hand, when Rsyslog is configured as a client, it sends log messages to the Rsyslog server on the system over TCP/UDP on port 514.

Rsyslog filters fall under one of these three categories:

• Priority-based filters
• Property-based filters
• Expression-based filters

Priority filters state the internal Linux processes that generate the log:

• auth/authpriv: Messages that are generated by the authentication process.
• cron: Messages associated with corn jobs
• daemon: Messages concerning running system services
• kernel: Linux kernel-related messages
• Mail: Messages associated with the mail server
• Syslog: Messages related to syslog
• Lpr: Messages that are related to the printer or print server
• local0 – local7: Customized messages controlled by the system administrator.

The various priority filter levels are given a number and a keyword, namely:

• emerg, panic (level 0): Such a log shows that the system is completely disabled and cannot be used.
• alert (level 1): It means that urgent action should be taken.
• err (level 3): It means that a critical situation exists.
• warn (level 4): Indicates a warning.
• notice (level 5): It means that the situation is normal, but additional investigation is required.
• info (level 6): It is simply information about an event.
• debug (level 7): Debug messages.

Installing Rsyslog

As we mentioned at the beginning of this article, this service is installed by default on new Linux-based operating systems. But in case it is not installed, you may install it using the following command:

sudo apt-get install rsyslog

To make sure that this service has been installed and is active, you can use the following command:

systemctl status rsyslog.service

You must change the settings in the /etc/rsyslog.conf file to configure Rsyslog as a server. Use the following command to access this file:

sudo vi /etc/rsyslog.conf

During the next step, you can enter editing mode by pressing the letter I on the keyboard and then remove the # character from the following phrases “provides TCP syslog reception” and “provides UDP syslog reception” so you can uncomment them:

You can use the following command, which should be added after the (type=”imtcp” port=”514″) phrase so that you can set the access restriction for a specific subnet, IP or domain (you must enter the desired IP instead of x.x.x.x).

AllowedSender TCP, 127.0.0.1, x.x.x.x/24, *.yourdomain.com

Creating a Template

Using the template you can specify how the logs for Rsyslog shall be stored. Type the template definition commands after the above command.

template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?Incoming-logs 

For Rsyslog server of version 7 or later, you can define templates in the following format:

template(name="MyTemplate" type="string" string="/var/log/%FROMHOST-IP%/%PROGRAMNAME:::secpath-replace%.log" )

You can also use this format as follows:

template(name="MyTemplate" type="list") { constant(value="/var/log/") property(name="fromhost-ip") constant(value="/") property(name="programname" SecurePath="replace") constant(value=".log") }

When you insert the above command into the Rsyslog configuration file, it will record log messages in the /var/log path using the format that is specified in the command. You can use the following variables in addition to the ones mentioned in the above command:

%syslogseverity%, %syslogfacility%, %timegenerated%, %HOSTNAME%, %syslogtag%, %msg%, %FROMHOST-IP%, %PRI%, %MSGID%, %APP-NAME%, %TIMESTAMP%, %$year%, %$month%, %$day%

To register the changes applied in the Rsyslog configuration file, you need to restart this service. Use the following commands to do that:

sudo service rsyslog restartsudo systemctl restart rsyslog

In the end, to confirm that Rsyslog is properly listening on both the TCP and UDP ports, use the following command:

sudo netstat -taupn | grep rsyslog