How to configure Ubuntu to send messages to a Remote Syslog Server

During Incident Response, you might face scenarios where you need to collect logs from Ubuntu system to a central location. This article explains how to configure Ubuntu system to send logs & messages to a Remote Syslog Server

Edit /etc/rsyslog.conf to include following line before $IncludeConfig /etc/rsyslog.d/*.conf line:

*.* action(type="omfwd" target="192.0.2.2" port="10514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

In this case Remote server with IP 192.168.0.1 will receive logs on port 514. 514 is default port, you can configure this as per your network configuration & requirements

Restart rsyslog service for configuration changes to take effect

$ sudo service rsyslog restart

If you are using another Ubuntu host as remote rsyslog server, then check the “/var/log” directory to see if client log directories have been created.

$ cd /var/log && ls -l

By default if the remote system is unreachable, processing will block here and discard messages after a while. However with above configuration line, it will be handled

  • This will de-couple the sending from the other logging actions
  • Prevent delays when the remote system is not reachable
  • It will try to connect 100 times before it discards messages as undeliverable

Few things to note:

  • You need to select the protocol best suitable for your use case. If in doubt, TCP is a decent choice. This article uses TCP
  • The target can be specified by DNS name or IP address. Use IP addresses for most robust operations. If you use a DNS name and name resolution fails, forwarding may be disabled for some time

There is another legacy format too, however its obsolete, hence not recommended to use

*.* @@192.168.0.1:514