rsyslog Configuration for remote Logging

I want all the network devices in my house to log to a central location, so that log messages can be

stored permanently (if I switch off an access point, normally all logs are gone), and
automatically checked for interesting events.

So I needed to set up my internal Ubuntu-based server to receive log messages from these devices via the syslog protocol.

My requirements were:

Logs from different devices should go into a dedicated file each.
Logs from the local machine should not go into any of these files, but the standard Ubuntu logging should be continued to be observed.

It took me a while to figure out how the “ultimate” configuration should be, but here’s the result in case anybody else has similar requirements:

# Define a template for the remote log file
template(name="TmplRemote" type="list") {
    constant(value="/var/log/remote/")
    property(name="hostname" SecurePath="replace")
    constant(value=".log")
}

# provides UDP syslog reception
module(load="imudp")

# provides TCP syslog reception
module(load="imtcp")

ruleset(name="remote"){
    # Filter messages from remote hosts and write to the dedicated file
    if ($fromhost-ip != '127.0.0.1') then {
        action(type="omfile" dynafile="TmplRemote")
    } else {
        # Prevent local messages from being written to the remote log file
        stop
    }
}

input(type="imudp" port="514" ruleset="remote")
input(type="imtcp" port="514" ruleset="remote")

Put the above into a file called /etc/rsyslog.d/99-local.conf, create directory /var/log/remote/, then restart rsyslog as follows:

$ sudo systemctl restart rsyslog.service

BTW, in case you wonder about the SecurePath property for the remote host name, this is a security measure.

At home with your own trusted equipment this is not really required. But in “hostile” environments with untrusted traffic it could happen that somebody tries an attack by “crafting” a host name that would then be used as path name on your logging server and potentially create files that you didn’t foresee.

Did this help? Then let me know, please.

2 replies on “rsyslog Configuration for remote Logging”

Thanks for the clear explanation of setting up rsyslog for remote logging! I especially appreciated the detail on configuring the firewall to allow the traffic. It’s a step that’s easy to overlook and can save a lot of troubleshooting time later on.‌

Hi, thank you for your comment and the nice words.

I believe you must have misunderstood one aspect from the above instructions, though. There is absolutely *nothing* that would be related to firewall config. 😉

Let me know which part is not 100% clear to you, and I’ll gladly elaborate.

Cheers, Ralf

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

By Ralf Bergs

2 replies on “rsyslog Configuration for remote Logging”

Leave a Reply Cancel reply