Ubuntu Syslog Configuration Guide

Syslog is a critical tool for system logging in Ubuntu, with rsyslog being the default implementation. This guide covers installation, configuration, management, and troubleshooting of rsyslog to help you effectively collect, store, and analyze system logs.

1. Install rsyslog

Most Ubuntu systems come with rsyslog pre-installed. If missing, install it using:

sudo apt update && sudo apt install rsyslog

2. Configure rsyslog

2.1 Main Configuration File

The primary config file is /etc/rsyslog.conf. Use a text editor (e.g., nano) to modify it:

sudo nano /etc/rsyslog.conf

Key settings include:

• Log Levels: Define which events to log (e.g., *.info for all info-level logs).
• Log Destinations: Specify where logs are saved (e.g., /var/log/syslog for general logs).
• Remote Logging: Enable forwarding to a remote server (see Section 3).

2.2 Custom Rules in /etc/rsyslog.d/

For modular configurations, add files to /etc/rsyslog.d/ (e.g., myapp.conf). These files override settings in the main config. Example:

sudo nano /etc/rsyslog.d/myapp.conf

Add a rule to redirect logs from a specific program (myapp) to a custom file:

if $programname == 'myapp' then /var/log/myapp.log & stop

Save the file—changes take effect immediately without restarting the service.

3. Remote Logging Setup

To centralize logs on a remote server, configure rsyslog to send/receive logs via UDP (port 514, default) or TCP (more reliable).

3.1 On the Server (Receive Logs)

Edit /etc/rsyslog.conf to enable the UDP/TCP module and input:

# Load UDP module
module(load="imudp")
input(type="imudp" port="514")

# Load TCP module (uncomment if using TCP)
module(load="imtcp")
input(type="imtcp" port="514")

Save and exit.

3.2 On the Client (Send Logs)

Edit /etc/rsyslog.conf to forward all logs to the server’s IP:

*.* @remote_server_ip:514  # UDP
*.* @@remote_server_ip:514 # TCP (use @@ for TCP)

Save and exit.

4. Log Rotation with logrotate

To prevent log files from growing indefinitely, use logrotate (pre-installed). The default config for rsyslog is at /etc/logrotate.d/rsyslog. Example settings:

/var/log/syslog {
    daily                # Rotate daily
    rotate 7             # Keep 7 old logs
    compress             # Compress old logs
    missingok            # Skip if log is missing
    notifempty           # Don’t rotate empty logs
    create 0640 syslog adm # Set permissions for new logs
}

Test the config with:

sudo logrotate -d /etc/logrotate.d/rsyslog  # Dry run
sudo logrotate -f /etc/logrotate.d/rsyslog  # Force rotation

5. Manage rsyslog Service

Use systemctl to control the rsyslog service:

# Check status
sudo systemctl status rsyslog

# Start the service
sudo systemctl start rsyslog

# Stop the service
sudo systemctl stop rsyslog

# Restart after config changes
sudo systemctl restart rsyslog

# Enable auto-start on boot
sudo systemctl enable rsyslog

6. Troubleshooting Common Issues

6.1 Service Not Running

Check the service status and logs:

sudo systemctl status rsyslog
sudo journalctl -u rsyslog -xe  # View detailed logs

6.2 Permission Denied Errors

Ensure log files have correct ownership (typically syslog:adm) and permissions:

sudo chown syslog:adm /var/log/syslog
sudo chmod 0640 /var/log/syslog

6.3 Remote Logging Failing

• Verify network connectivity between client and server (ping remote_server_ip).
• Check firewall rules (allow UDP/TCP 514):

  sudo ufw allow 514/udp  # For UDP
  sudo ufw allow 514/tcp  # For TCP
  

• Confirm rsyslog is listening on the correct port:

  sudo netstat -tuln | grep 514
  

6.4 Log Files Not Updating

Check if rsyslog is receiving logs by running:

sudo tail -f /var/log/syslog

If no new logs appear, verify client-side configuration and network connectivity.

This guide provides a comprehensive overview of rsyslog configuration on Ubuntu. For advanced use cases (e.g., encrypting logs with TLS), refer to the rsyslog documentation.