It is an important need to collect and analyze logs formed in various clients and servers in a common place. For this need, rsyslog is a very efficient tool.
I wanted to create this article because the rsyslog syntax has changed in the Debian 10 (Buster) version compared to the old debian versions (in example Debian 9).
The package can be installed as below for rsyslog:
sudo apt install rsyslog
In the /etc/rsyslog.conf file, the following lines starting with the "#" sign are removed:
module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="514")
The following line can be added just below which allows you to get logs. The example shows that all devices in the 127.0.0.1 and 10.0.0.0 network can collect logs:
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24
In addition, various templates can be logged or taken as in the example below:
$template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?Incoming-logs
Logs would start to be saved under a single file under /var/log if we did not make the corresponding template settings.
After making the related settings, the service is restarted by saving and checking whether there are any errors in the service:
sudo systemctl start rsyslog sudo systemctl enable rsyslog sudo systemctl status rsyslog
If there is no problem, syslog format logs directed from the rsyslog client from any source can be collected on the server we set up.
I will specify the relevant client settings in the next post.
Qui nescit dissimulare, nescit regnare