Syslog Tutorial

“Syslog is a way to consolidate logs from different systems onto a remote syslog server. The syslog server consists of three key components. The first is a listener that uses UDP over port 514 to collect syslog data. Next comes the database that stores the generated syslog data and finally the management and filtering software that allows filtering of the syslog data for quick troubleshooting.

As a system administrator, it is useful to understand how syslog works and how to configure client machines to direct their syslog data to the remote server. This guide covers syslog in Linux and provides steps to consolidate logs on a remote computer.”

Understand syslog

Syslog is a protocol that communicates over port 514 over UDP and allows hosts to transmit logs to syslog servers over the IP networks. The job of the syslog server is to monitor and respond to the syslog notifications it receives.

This allows an administrator to centrally control logs from different clients, allowing them to quickly trace an error on a client’s computer and fix it based on the log message generated.

The syslog clients generate syslog messages, which they send to the syslog server. The message consists of three main parts.

  1. Priority – Represents the severity and facility of the message. The Priority value determines the priority of the specified protocol. This allows you to filter the logs based on the priority value.
  2. Header – Represents the timestamp for the log and the name of the host/client computer sending the log message.
  3. Message – Represents the actual log message that an administrator sees when troubleshooting. The message includes details such as host IP addresses, severity, and the event message.

let’s have one example of a syslog message and identify its different parts.

<34> 2 202210-3T10:30:35.004Z Linux hint so – ID12 – parts list’so root’ failed to the Linux hint on /developer/pt/4

At the top we start from the left. The 34 represents the priority value for the message. 2 is the version number for the log message. Next to it is the ISO timestamp, followed by the hostname. Next we have the specific application that was throwing the error and its PID. Finally, we have the event’s message ID and the log message.

Working with syslog

Every system generates logs for events that cause an error, e.g. B. the accidental closing of an application. The logs for the local computer are stored in /var/log and you can list the contents to see the different ones

Log files and directories for your system using the ls command.

You will notice in the image above that we have the log file named syslog. It contains the logs for your system; in this case it is for Ubuntu/Debian systems. On RedHat you may find messages instead of syslog.

To view the logs for the system, open the real-time log file with the tail command. For Debian/Ubuntu use the following command.

$ sudo tail -f /Var/protocol/syslog

For client machines, the rules for where to send the syslog are contained in the rsyslog configuration file. You must edit this configuration file to set a computer to send its log files to a specific syslog server.

Working with the rsyslog configuration file

You can view this configuration file with an editor of your choice. Let’s open it with nano editor.

$ sudo nano /Etc/rsyslog.conf

Below is what the configuration file looks like.

All the rules defined for your syslog are included in this file, including the syslog server and its IP address. Let’s create a syslog server on a remote computer and transfer the logs from our client computer.

Configure a syslog server

For example, we use Ubuntu 22.04 as our server.

First, make sure you have rsyslog installed by checking its version. If not installed, install it with apt.

$ rsyslogd -v

Next, open the rsyslog configuration file with the nano editor.

$ sudo nano /Etc/rsyslog.conf

Locate the module and input for TCP. Next, comment them out by removing the # and adding the following line to make your config file appear like the image below.

$ Template FILENAME”,/Var/protocol/%HOSTNAME%/syslog.log”

*.* ?FILENAMEtd>

After editing the configuration file, start the rsyslog

$ sudo systemctl restarts rsyslog.service

The final step is to verify that rsyslog is up and listening on UDP port 514. Use the following command to verify this.

$ sudo net stat -pnlt

Configure the client

Open the client machine and verify that rsyslog is present by checking the version.

Next, open the rsyslog configuration file.

$ sudo nano /Etc/rsyslog.conf

Once opened, add your server’s IP address in the following format.

*.* @@your-server-ip>:514

Restart rsyslog and enable it

$ sudo systemctl restarts rsyslog

$ sudo systemctl enable rsyslog

Let’s test the syslog by logging a random message that should be reflected on the client syslog server.

Open the remote client and view the real-time syslog for the client. From the image below we can see the client’s logged message confirming that our remote syslog server is working.

Wrap up

A handy tutorial on how to get started with Syslog has been presented in this guide. We saw how to read a syslog message and how to configure a client-server architecture for syslog. That’s it.

Related Posts