Setting up an rSyslog Server

Dependencies

Optional

I use Micro as my editor. Feel free to substitute it with the editor you want to use.

Server setup

Forward a TCP port you want to listen for with your syslog server and allow it through firewalls, if necessary.
Install dependencies.
Elevate yourself and edit the configuration file.

Uncomment these lines to enable server functionality by loading the TCP module.

Provide templates for log location. Each client will have their own log folder, sorted by hostname->year->month.

Paths are editable.

Route log input from clients to correct destinations by applying the templates.

Bind ruleset to TCP listener and activate it. The chosen port here may be one of your choice i.e. the one you have forwarded before. Make sure these two lines are at the end of the file.

Save and exit configuration file.
Restart rsyslog service.

Find out your dedicated IP address or optionally use a DNS service.

Client setup

Install dependencies.
Elevate yourself and edit the configuration file.

Send your syslog messages to your server.

Replace SERVERIP with the server’s IP obtained in step 10 of the server section or with your server’s DNS name. Replace SERVERPORT with the port set in step 1 of the server section.

Save and exit configuration file.

Restart rsyslog service.

Advanced

Basic Filter Options

Severity Levels

#ID Severity Level Code
0 Emergency emerg
1 Alerts alert
2 Critical crit
3 Errors err
4 Warnings warn
5 Notification notice
6 Information info
7 Debug debug

Facilities

Facility description Code
authentication (login) auth
memory-resident scheduler cron
resident daemons daemon
kernel kern
printer lpr
sendmail mail
user-initiated processes/apps user
used by Cisco equipment and Windows servers local0-local7
syslog process itself syslog

Schematics

Examples

The directives set in step 6 of the server section may be replaced with any combination of the two tables from above.

Advanced Filter Options

Message Properties (Excerpt)

Property description Code
actual message msg
hostname of messages’ origin hostname
next DNS-resolved IP from which the message was received fromhost-ip
“name[1234]”, where name is the programname programname

Basic Operators

Operator description Operator
checks if property content contains “string” contains
checks if property content is precisely equal to “string” isequal
checks if property content starts with “string” (faster than regex) startswith
evaluates property content against POSIX BRE “regex” regex
evaluates property content against POSIX ERE “regex” ereregex

Expression Operators

Operator description Operator
designation of (sub-)expressions (insert-expression-here)
only to be used within expressions in parenthesis not
arithmetics *, /
string concatenation +, -, &
evaluation type 1 ==, !=, <>, <, >, <=, >=
evaluation type 2 contains ‘insert-string-here’, startswith ‘insert-string-here’
expression chaining and, or

Schematics

Basic

Expressive

Examples

Basic

Discards all output that is not from systemd, so the second line sends everything remaining, i.e. only systemd log output, to the logfile.

Same as above, but with a specific hostname. source is an alias for hostname.

Expressive

Same as the previous entry, but the expressive way.

Logs only messages from facility local0, that start with DEVNAME and have error0 or error1 in the msg content.

Automated Deployment

This script is an all-in-one solution for enabling your client(s) to send their syslog to your server.

Now all you have to do is download the script, make it executable, run it as root, like this:

Note, that it removes all existing entries of remote destinations, before adding the new one. If you want to add more than one syslog server with this script, you should uncomment the “Remove previous entries.” code block.