Set Up A Centralised Log Server On Linux (Ubuntu 14.04)

Server Logs are wealth of useful information. Every SysAdmin knows it. Logs act as our only mean to troubleshoot critical issues. Logs are so important that they must be backed up properly & efficiently. While every Linux distribution has this facility built-in, its always good to have a centralised log server that captures the logs from all other client nodes. It servers many purposes. It acts as a central point of contact whenever we need to check the logs. No need to login to individual servers. It also reduces the load on storage media of individual servers since all the logging is recorded on one central server with huge storage 🙂 Lets learn how to setup our own Centralised Log Server on Linux. I have shown using Ubuntu but same applies to Red Hat based servers as well.

Lab Description : – 

Log Server – Ubuntu 14.04

Log Client Node – Ubuntu 14.04

Server Configuration : –

Enable UDP/TCP port. Edit /etc/rsyslog.conf file. There are properties for UDP & TCP under MODULES directive. Uncomment both of them. It looks like below after uncommenting. 514 is the port. This will enable UDP/TCP communication from clients to server.

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Define template for the logs. Template defines the filename & location of the logs. Just above GLOBAL directive, add below lines to define a template.

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *
*.* ?RemoteLogs
& ~

1st line is self-explanatory. It defines what will be the name & location of log-file. 2nd line tells rsyslog daemon to apply this template to all the log-files. 3rd line stops the older logging & enables this new logging.

Restart rsyslog daemon.

service rsyslog restart

Client Configuration.

Ensure your client nodes can communicate with server. Adjust firewall to allow UDP/TCP port 514 if needed.

Edit configuration file. We only need to define the IP address or FQDN of our log server in the /etc/rsyslog.conf file. So open the file & add below line to the end. No explanation needed here, right? 😉 Its the IP of log server & UDP/TCP port.

#Defining the Central Log Server
*.* @

After this, restart rsyslog daemon.

service rsyslog restart

You will see new directories inside /var/log with names of your client(s). Inside these, there will be many log files with their respective program names like sudo.log.

drwx------  2 syslog            syslog     4096 jul  6 09:48 shashank-server/
drwx------  2 syslog            syslog     4096 jul  6 09:47 shashank-client/
root@shashank-server:/var/log# ll shashank-server/
50mounted-tests.log           avahi-autoipd(eth0).log       gnome-keyring-daemon.log      pkexec.log                    sudo.log
accounts-daemon.log           avahi-daemon.log              jenkins.log                   polkitd(authority=local).log  su.log
acpid.log                     colord.log                    kernel.log                    polkitd.log                   udisksd.log
anacron.log                   cracklib.log                  lightdm.log                   postfix.log                   useradd.log
AptDaemon.log                 cron.log                      ModemManager.log              pulseaudio.log                whoopsie.log
AptDaemon.PackageKit.log      CRON.log                      mtp-probe.log                 rsyslogd-2207.log             xinetd.log
AptDaemon.Trans.log           crontab.log                   NetworkManager.log            rsyslogd-2307.log             
AptDaemon.Worker.log          dbus.log                      ntpdate.log                   rsyslogd.log                  
audispd.log                   dhclient.log                  os-prober.log                 rtkit-daemon.log              
auditd.log                    failsafe.log                  passwd.log                    sshd.log