Setting up an rsyslog Server

Dependencies

 

sudo apt install rsyslog

Optional

 

sudo apt install curl inxi

I use Micro as my editor. Feel free to substitute it with the editor you want to use.

 

Server setup

 

Forward a TCP port you want to listen for with your syslog server and allow it through firewalls, if necessary. Install dependencies. Elevate yourself and edit the configuration file.

sudo su
cd /etc
micro rsyslog.conf

 

Uncomment these lines to enable server functionality by loading the TCP module.

module(load="imuxsock")
module(load="imklog")
module(load="imtcp")

 

Provide templates for log location. Each client will have their own log folder, sorted by hostname->year->month.

$template Debug,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/debug.log"
$template Error,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/err.log"

Paths are editable.

 

Route log input from clients to correct destinations by applying the templates.

$RuleSet remote
*.* ?Debug
*.err ?Error

 

Bind ruleset to TCP listener and activate it. The chosen port here may be one of your choice i.e. the one you have forwarded before. Make sure these two lines are at the end of the file.

$InputTCPServerBindRuleset remote
$InputTCPServerRun 515

 

Save and exit configuration file. Restart rsyslog service.

systemctl restart rsyslog

 

Find out your dedicated IP address or optionally use a DNS service.

curl ifconfig.me # if you have curl installed
inxi -i # if you have inxi installed

 

Client setup

 

Install dependencies. Elevate yourself and edit the configuration file.

sudo su
cd /etc
micro rsyslog.conf

 

Send your syslog messages to your server.

*.*            @@SERVERIP:SERVERPORT

Replace SERVERIP with the server's IP obtained in step 10 of the server section or with your server's DNS name. Replace SERVERPORT with the port set in step 1 of the server section.

Save and exit configuration file.

 

Restart rsyslog service.

systemctl restart rsyslog

 

Advanced

Basic Filter Options

Severity Levels

 

#ID Severity Level Code
0 Emergency emerg
1 Alerts alert
2 Critical crit
3 Errors err
4 Warnings warn
5 Notification notice
6 Information info
7 Debug debug

 

Facilities

 

Facility description Code
authentication (login) auth
memory-resident scheduler cron
resident daemons daemon
kernel kern
printer lpr
sendmail mail
user-initiated processes/apps user
used by Cisco equipment and Windows servers local0-local7
syslog process itself syslog

 

Schematics

 

facility.severity            /path/to/logfile

 

Examples

 

mail.*            /var/log/mail.log
cron.err          /var/log/cron_err.log
kern.*            /var/log/kern.log
*.warn            /var/log/warn.log

The directives set in step 6 of the server section may be replaced with any combination of the two tables from above.

 

Advanced Filter Options

 

Message Properties (Excerpt)

 

Property description Code
actual message msg
hostname of messages' origin hostname
next DNS-resolved IP from which the message was received fromhost-ip
"name[1234]", where name is the programname programname

 

Basic Operators

 

Operator description Operator
checks if property content contains "string" contains
checks if property content is precisely equal to "string" isequal
checks if property content starts with "string" (faster than regex) startswith
evaluates property content against POSIX BRE "regex" regex
evaluates property content against POSIX ERE "regex" ereregex

 

Expression Operators

 

Operator description Operator
designation of (sub-)expressions (insert-expression-here)
only to be used within expressions in parenthesis not
arithmetics *, /
string concatenation +, -, &
evaluation type 1 ==, !=, <>, <, >, <=, >=
evaluation type 2 contains 'insert-string-here', startswith 'insert-string-here'
expression chaining and, or

 

Schematics

 

Basic

 

:property, compare-operation, "value"

 

:property, !compare-operation, "value" # negated

 

Expressive

 

if (insert-expression-here) then /path/to/logfile

 

if $property == 'insert-value-here' then /path/to/logfile

 

Examples

 

Basic

 

Discards all output that is not from systemd, so the second line sends everything remaining, i.e. only systemd log output, to the logfile.

:programname, !isequal, "systemd" ~
*.*            /path/to/logfile

 

Same as above, but with a specific hostname. source is an alias for hostname.

:source, !isequal, "vps-hostname" ~
*.*            /path/to/logfile

 

Expressive

 

Same as the previous entry, but the expressive way.

if $source == 'vps-hostname' then /path/to/logfile

 

Logs only messages from facility local0, that start with DEVNAME and have error0 or error1 in the msg content.

if $syslogfacility-text == 'local0' and $msg startswith 'DEVNAME' and not ($msg contains 'error1' or $msg contains 'error0') then /path/to/logfile

 

Automated Deployment

 

This script is an all-in-one solution for enabling your client(s) to send their syslog to your server.

 

#!/bin/bash
#########################################################################
# Copyright (C) 2020 Akito <the@akito.ooo>                              #
#                                                                       #
# This program is free software: you can redistribute it and/or modify  #
# it under the terms of the GNU General Public License as published by  #
# the Free Software Foundation, either version 3 of the License, or     #
# (at your option) any later version.                                   #
#                                                                       #
# This program is distributed in the hope that it will be useful,       #
# but WITHOUT ANY WARRANTY; without even the implied warranty of        #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the          #
# GNU General Public License for more details.                          #
#                                                                       #
# You should have received a copy of the GNU General Public License     #
# along with this program.  If not, see <http://www.gnu.org/licenses/>. #
#########################################################################

## Requires root permissions.
## Takes IPv4 address + port as 2 arguments.
## Installs `rsyslog` package from standard APT repository.
## Replaces old syslog server address with the given one.
## Prettifies `rsyslog.conf` by removing redundant
## newlines at EOF.


if [[ "$EUID" != 0 ]]; then
  ## Check your privilege.
  echo "Please run me as root.";
  exit 1;
elif                                                              \
     [[ $# == 2 ]]                                                \
&&                                                                \
     [[ $2 =~ ^[0-9]{2,5}$ ]]                                     \
&&                                                                \
     [[ $1 =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] \
||                                                                \
     [[ $1 =~ ^[0-9A-Za-z]*\.?[0-9A-Za-z]+\.[A-Za-z]+$ ]];
then
  serverip=$1
  serverport=$2
  config=/etc/rsyslog.conf
  apt-get install -y rsyslog > /dev/null
else
  echo "Please provide your desired server IP and port."
  echo "As root user, like this:"
  echo "$0 10.15.10.23 515"
  exit 1
fi;

truncEmpty() {
  ## Remove redundant newlines at EOF. Leave only a single one.
  if [ -s ${config} ]; then
    while [[ $(tail -n 1 ${config}) == "" ]]; do
      truncate -cs -1 ${config};
    done;
  else
    echo "File does not exist or is empty."
    exit 1
  fi;
}

while read -r line; do
  ## Remove previous entries.
  [[ ! $line =~ "*.*            @@" ]] && echo "$line"
done <${config} > o
mv o ${config}

# Append updated server address.
truncEmpty
printf "\n"                                     >> ${config}
printf "*.*            @@$serverip:$serverport" >> ${config}
printf "\n"                                     >> ${config}
truncEmpty

systemctl restart rsyslog

exit 0

 

Now all you have to do is download the script, make it executable, run it as root, like this:

wget -q https://raw.githubusercontent.com/theAkito/redparrot-src/master/how2rsyslogserver/logdeploy.sh
chmod +x logdeploy.sh
sudo ./logdeploy.sh 15.12.15.11 1234 # obviously to be replaced with your ip/port
rm logdeploy.sh

 

Note, that it removes all existing entries of remote destinations, before adding the new one. If you want to add more than one syslog server with this script, you should uncomment the "Remove previous entries." code block.