Ubuntu/syslog
< Ubuntu
Managed by rsyslog
See syslog
Remote syslog
Send
Easy:
/etc/rsyslog.d/10-rsyslog.conf *.* @remote.server:514
service rsyslog restart # or systemctl restart rsyslog
Receive
/etc/rsyslog.conf
systemctl restart rsyslog
Test:
logger "hello" --server [HOST] --port 514 # or logger "hello" -n [host] -P 514 # or logger "hello" -n [host]
Capture traffic example: [1]
sudo tcpdump -n dst port 514 -v
192.168.0.12.36097 > 192.168.0.11.514: SYSLOG, length: 122 Facility user (1), Severity notice (5) Msg: 1 2021-02-13T18:18:47.193781+00:00 ubuntu ubuntu - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="284500"] Test
To have each system store in seperate file: [2]
input(type="imtcp" port="514") $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" *.* ?RemInputLogs
I like /var/log/remote
/var/log/remotelogs or /var/log/remote
Modified:
################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on")
Before:
################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on")