In this article, you will learn how to forward Linux system logs to a remote server using rsyslog.
rsyslog is a robust and versatile logging service found in most Linux distributions. It handles system and application logs efficiently and supports remote log forwarding a key feature for centralised log management, enhanced security, and streamlined monitoring.
Requirements:
- Two Linux systems:
- Client (log sender)
- Server (log receiver)
- rsyslog is installed (default on most distros).
- Root or sudo access on both systems.
- Network connectivity between client and server (open port 514 or custom if using TLS/TCP).
Let us follow the guide:
Step 1: Configure the rsyslog Server to Receive Logs
- Edit the rsyslog Configuration File on the Server
Open the configuration file:sudo nano /etc/rsyslog.conf
Uncomment or add the following lines to enable UDP and/or TCP reception:
# For UDP: module(load=“imudp”) input(type=“imudp” port=“514”) # For TCP: module(load=“imtcp”) input(type=“imtcp” port=“514”)
Note: TCP is more consistent than UDP and should be chosen for production environments.
- Create a Rule to Store Remote Logs
Add the following to the bottom of the config or in a new file (e.g., /etc/rsyslog.d/remote.conf):$template RemoteLogs,“/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log” *.* ?RemoteLogs
This stores logs by hostname and program name under /var/log/remote/.
- Restart the rsyslog Service
sudo systemctl restart rsyslog
Ensure rsyslog is listening on port 514:
sudo netstat -tulnp | grep 514
Step 2: Setup the Client to Send Logs to the Remote Server
- Edit the rsyslog Configuration File on the Client
Open the config:sudo nano /etc/rsyslog.conf
Add the following line at the bottom, replacing 192.0.2.10 with your server’s IP:
- UDP (less reliable):
*.* @192.0.2.10:514
- TCP (recommended):
*.* @@192.0.2.10:514
@ = UDP, @@ = TCP
- UDP (less reliable):
- Restart Rsyslog on the Client
sudo systemctl restart rsyslog
Step 3: Test the Configuration
- On the client, make a test log:
logger “Test log message from rsyslog client”
- On the server, check if the message appears:
sudo tail -f /var/log/remote/<client-hostname>/messages.log
Or search recursively:
sudo grep “Test log message” /var/log/remote/ -R
Optional: Enable TLS for Secure Log Transmission
Use gtls or gnutls to configure rsyslog with TLS encryption for increased security, particularly over public networks. In order to use imtcp and omfwd with TLS options, certificates must be generated, and client and server configurations must be changed.
Troubleshooting Tips:
- Ensure no firewalls (like ufw, iptables) block port 514.
- Confirm SELinux or AppArmor isn’t stopping rsyslog operations.
- Check logs on both systems for rsyslog errors:
sudo journalctl -u rsyslog
- Use tcpdump or wireshark to inspect traffic if logs don’t reach the server.
By following the steps above, you can successfully configure a Linux client to forward its logs to a central rsyslog server. This setup is essential for centralised logging, easier troubleshooting, and improved log retention strategies in distributed environments.
Want better control over task logging? Learn How to Create and Manage Cron Logs in Linux