Configure Ubuntu Server 12.04 LTS as a Syslog Server

will224 · 2014-01-23T18:11:51.000Z

I needed a centralized logging server to consolidate all server logs. To streamline and ease the process of installation, configuration, and documentation, I decided to use Ubuntu Server 12.04 LTS; as it is what most of our non-Windows based systems are running on currently.

While this How-To is written specifically for Ubuntu Server 12.04 LTS, the following steps may be used to successfully configure a Syslog Server on other Linux/Unix based systems.

Step 1: Install Ubuntu Server 12.04 LTS

Install and configure Ubuntu Server 12.04 LTS.

Step 2: Edit the rsyslog.conf file to allow the submission of system logs from clients.

Use your favorite editor to make the following changes to the rsyslog.conf file(I prefer vim):

sudo vim /etc/rsyslog.conf

Uncomment the following lines:

$ModLoad imudp
$UDPServerRun 514

At the bottom of the file include the following entry:

$template TmplAuth,

“/var/log/%HOSTNAME%/%PROGRAMNAME%.log”

Step 3: Change permissions of the /var/log directory

Change the permissions of the /var/log directory to allow syslog the ability create/change sub-directories and files.

cd /var && sudo chown syslog:syslog log

Step 4: Restart the rsyslog service

Save the changes made to the rsyslog.conf file and restart the rsyslog service.

sudo service rsyslog restart

Step 5: Configure clients to send logs to your newly configured Syslog server.

For all *nix-based clients you will need to edit the rsyslog.conf file or syslog.conf file and add the following line(x.x.x.x being the ip address of your syslog server):

Ubuntu/Debian:
sudo vim /etc/rsyslog.conf

. @x.x.x.x

CentOS/Fedora/RHEL:
sudo vim /etc/syslog.conf

. @x.x.x.x

FreeBSD/BSD variants:
sudo vim /etc/syslog.conf

Uncomment the following line:
. @logserver (replace “logserver” with x.x.x.x)

Step 6: Restart the rsyslog/syslog service on newly configured client

Ubuntu/Debian:
sudo service rsyslog restart

CentOS/Fedora/RHEL:
sudo /etc/init.d/syslog restart

FreeBSD/BSD variants:
sudo /etc/rc.d/syslog restart

Step 7: Verify logs are being sent to your syslog server

On your Syslog server check the “/var/log” directory to see if client log directories have been created.

cd /var/log && ls

Step 8: (Optional Step) Configure Windows-based clients

Unfortunately, Windows-based systems do not natively play nice with Syslog servers. However, you can install an agent-based service called “Snare” to manage and export log files to your Syslog server.

SNARE: Snare Lite (SIEM & Logging Software) download | SourceForge.net

SNARE installation and configuration: http://winsrvtuts.com/2011/12/configure-windows-for-syslog-using-snare/

At this point your Syslog server should be receiving log files from clients and storing them in associated directories under “/var/log”.

kentadams2373 · 2014-04-09T13:38:27.000Z

I had to open port 514 as it wasn’t listening by default.

will224 · 2014-04-09T14:10:49.000Z

Which distribution were you configuring the syslog server on? (for future reference)

kentadams2373 · 2014-04-10T09:49:00.000Z

I was configuring on Ubuntu Server 12.04 LTS. Note that I added UFW to make opening and closing ports as simple as possible but it doesn’t come standard with it.

will224 · 2014-04-10T12:08:28.000Z

Interesting, all of the systems that I configured rsyslog on were Ubuntu 12.04.4 LTS and I didn’t have to open any ports. Did you configure it to send data using TCP instead of UDP?

nigel · 2014-04-10T13:38:52.000Z

Hey Will,

I am not great with *nix commands so this could be my fault here. I am stuck on the piece where we need to change perms on the /var/log directory. I enter the following as stated above:

$ cd /var && sudo chown syslog:syslog log

and get this error back as if I am missing one piece or command

[chown: missing operand after ‘syslog:syslog.log’ try ‘chown --help’ for more info]

I cannot find any good help on this one.

Thanks-
Nigel

will224 · 2014-04-10T14:35:46.000Z

It looks like you may have accidentally put a period after “syslog:syslog”, causing the log directory to be interpreted as part of the group.

The command: “sudo chown syslog:syslog log” is changing ownership of the /log directory to the user “syslog”, and the group “syslog”. (user:group)

“sudo chown syslog:syslog /var/log” should work as well (without the quotes)

Doing “man chown” at the command line will give you a thorough explanation of the command.

nigel · 2014-04-10T15:39:26.000Z

OK, that was it exactly! Brain was forcing me to type the DOT before the word log…doh!

Thanks for the fast reply man. Now I’m off to setup some clients.

Nigel

will224 · 2014-04-10T17:07:47.000Z

Ha! Typos happen… Good luck with your setup and happy logging!

antoniodejesus3494 · 2014-09-18T13:22:21.000Z

I just followed this guide using 14.01 and it works beautifully. Your a life saver!

caouy · 2014-11-06T08:50:49.000Z

I encountered one problem with ubuntu12.04 . I did the steps and do not feel guilty , but I can not find the client log file anywhere. And I have one questions " /var/log/%HOSTNAME%/%PROGRAMNAME%.log " HOSTNAME and PROGRAMNAME need to replace it with something or not retain .

will224 · 2014-11-06T16:01:47.000Z

In your server’s rsyslog.conf file it needs to be entered exactly as seen above:

$template TmplAuth, “/var/log/%HOSTNAME%/%PROGRAMNAME%.log”

The syslog server should receive data from the client and populate it automatically, creating a new directory for the client for which it is receiving logs from.

ronaldwiplinger · 2014-11-07T07:05:59.000Z

I got a strange result!

ls /var/log
drwxr-xr-x 2 syslog syslog 4096 Nov 7 15:47 %HOSTNAME%

Why %HOSTNAMR% and %PROGRAMNAME%.log are not replaced with real names???

caouy · 2015-02-11T02:43:50.000Z

if i want to replace %HOSTNAME% by IP of my serrver, so i do like how ?

will224 · 2015-02-11T16:08:19.000Z

@caouy

I’m not sure how you would accomplish that. It doesn’t seem that there is an option in the rsyslog Templates that allows for naming files by IP Address.

man rsyslogd and man rsyslog.conf will show you all available options/configurations.

If there isn’t a solution directly within rsyslogd, you may be able to write a short bash script that cycles through your /var/log directory, does a reverse lookup according to the hostname on log files, and then renames the logfiles with the IP Address that it pulls from the reverse-lookup. You would then set that script as a cron job and have it run on an appropriate interval.

will224 · 2015-02-11T16:10:32.000Z

@ronaldwiplinger

Sorry, I just now saw your comment. It sounds like you may have an issue with DNS configuration on your syslog server. Make sure your network’s DNS servers and search zone is showing up in your /etc/resolv.conf file. If you do not have a DNS server for your local network you may look into implementing one, or entering the hosts that you are wanting to pull logs for in your syslog server’s host file.

caouy · 2015-02-12T00:17:13.000Z

@Will224
Thank you very much , this is also a good idea

shahzaib3 · 2015-02-12T05:21:40.000Z

i follow your step as you mentions but i made two vms one made the syslog server and other with client , i also configure the DNS setting in my syslog server Vm, both vms are also ping each other , now i found no success to logs ?? any extra thing i have to do ???any help ?? thanks in advance ??

caouy · 2015-02-13T02:06:32.000Z

@Will224
$template TmplAuth,“/var/log/%fromhost-ip%/%PROGRAMNAME%.log”
Replace HOSTNAME by fromhost-ip, i’m success, thank you

charles48459470 · 2015-06-17T12:38:12.000Z

Hi, I am having problems with my rsyslog configuration. Although I am new to *nix, i have followed the steps correctly and made sure my DNS entry is correct. But the configuration does not create specific log directories for the different clients. I realised everything was being written to /var/log/syslog. I am collection logs for a switch and a wlan controller so i want them in separate files, can you help me out?