Syslog

TOC

1. Syslog
2. TOC
3. Configuration
   1. Change save location for log files
   2. Send logs to remote server
   3. Receive logs from Clients
   4. Filtering logs by source or severity
   5. Using log templates
   6. Log testing

Configuration

• Configuration file is located in : /etc/rsyslog.conf

• By default, logs are stored in /var/log/messages

Change save location for log files

*.* /your/new/dir/here

Send logs to remote server

Put this line in your /etc/rsyslog.conf file or where ever your config file is located bash *.* @<REMOTE-SERVER-IP>:514 # UDP *.* @@<REMOTE-SERVER-IP>:514 # TCP

Then restart the rsyslog service

Receive logs from Clients

Enable reception in your config file

# UDP syslog reception 

module(load="imudp")
input(type="imudp" port="514")

# TCP syslog reception 

module(load="imtcp")
input(type="imtcp" port="514")

Remember to add policy for the ports listed in your firewall configuration.

Verify the service is listening on port 514

ss -tunlp | grep 514

Filtering logs by source or severity

Add to config

if $syslogseverity-text == 'error' then /var/log/error.log
& stop

Using log templates

template(name="CustomFormat" type="string" string="%timestamp% %hostname% %msg%\n")

Log testing

logger "Test msg !"