rsyslog¶

What Is It?¶

rsyslog is a high-performance log processing system capable of receiving, filtering, and forwarding log messages. It can accept logs from remote systems over TCP/UDP and write them to files, databases, or forward them to other systems.

Installation¶

dnf install rsyslog (pre-installed)

Key Files and Directories¶

Default Ports¶

Configuration¶

rsyslog handles logging on most Linux distributions. It can receive logs locally (from journald), accept logs from remote systems over the network, and write them to files. The default CentOS 9 configuration pulls logs from journald and writes them to /var/log/.

For centralised logging, rsyslog can act as both a log receiver (ingesting logs from other machines) and a log transmitter (sending logs to a central server).

Minimal Working Configuration¶

1. Enable TCP log reception — edit /etc/rsyslog.conf:

# Uncomment/add these lines:
module(load="imtcp")
input(type="imtcp" port="514" name="remote")

This enables rsyslog to accept incoming logs on port 514/tcp. The name="remote" tag is used later to route received logs separately from local logs.

2. Create a template for incoming logs — create /etc/rsyslog.d/01-receiving.conf:

$template DynamicFile,"/var/log/%HOSTNAME%/forwarded-logs.log"

if $inputname == "remote" then {
    *.* -?DynamicFile
}

This matches all logs with input name remote and writes them to /var/log/<sending_hostname>/forwarded-logs.log, keeping remote logs separated from local logs by hostname.

3. Open the firewall port:

firewall-cmd --permanent --add-port=514/tcp
firewall-cmd --reload

4. Restart rsyslog:

systemctl restart rsyslog

5. Sending logs to a remote server — add to /etc/rsyslog.conf on the sending machine:

# Forward all logs to remote server via TCP
*.* @@<remote_server_hostname>:514

The @@ prefix means TCP; a single @ would use UDP.

Important Directives¶

module(load="imtcp")

Loads the TCP input module, allowing rsyslog to accept logs over TCP.

input(type="imtcp" port="514" name="remote")

Opens port 514 for TCP log reception. The name parameter tags incoming logs for later filtering.

$template

Defines an output template. DynamicFile creates file paths dynamically using rsyslog properties like %HOSTNAME%.

$inputname

A property that holds the name of the input module that received the log message. Used to distinguish remote logs from local logs.

*.* -?DynamicFile

Routes all facilities and severities (*.*) to the dynamic template. The - prefix means asynchronous writing (better performance). The ? references a template name.

@@ vs @

@@hostname:port forwards logs over TCP; @hostname:port forwards over UDP. TCP is preferred for reliability.

Common Commands¶

# Check rsyslog status
systemctl status rsyslog

# Restart after configuration changes
systemctl restart rsyslog

# Test sending a log message locally
logger "Test message from $(hostname)"

# Test sending a log message to a remote server
logger --server <hostname> --port 514 --tcp "Test remote log"

# View received logs
ls /var/log/*/forwarded-logs.log
cat /var/log/<hostname>/forwarded-logs.log

# Check rsyslog configuration syntax
rsyslogd -N1

# View local system logs
journalctl -xe
tail -f /var/log/messages

Logging and Debugging¶

• rsyslog errors: Check journalctl -u rsyslog for daemon errors after configuration changes.
• Configuration validation: Run rsyslogd -N1 to check for syntax errors before restarting.
• Received logs: Remote logs appear in /var/log/<sending_hostname>/forwarded-logs.log (based on the dynamic template).
• Local logs: /var/log/messages (general), /var/log/secure (authentication), /var/log/maillog (mail).
• logger utility: Use logger to send test messages both locally and to remote servers to verify the pipeline works.

Troubleshooting checklist:

1. systemctl status rsyslog — is rsyslog running without errors?
2. rsyslogd -N1 — does the configuration validate?
3. firewall-cmd --list-ports — is port 514/tcp open?
4. ss -tlnp | grep 514 — is rsyslog listening on port 514?
5. logger --server <host> --port 514 --tcp "test" — does the test log arrive?
6. ls /var/log/*/forwarded-logs.log — are log files being created per hostname?

Security Considerations¶

• Firewall: Only open port 514 if you need to receive remote logs. Restrict source IPs if possible.
• TCP over UDP: Use TCP (@@) for log forwarding — it provides reliable delivery. UDP logs can be silently lost.
• Log integrity: rsyslog does not encrypt logs in transit by default. For sensitive environments, configure TLS encryption using the gtls stream driver.
• Disk space: Centralised logging can consume significant disk space. Monitor /var/log/ usage and implement log rotation with logrotate.
• SELinux: rsyslog runs under SELinux confinement. If writing to non-standard paths, ensure correct SELinux contexts.

Further Reading¶

• rsyslog Documentation
• rsyslog Modules Reference
• CentOS 9 — Configuring a Remote Logging Server

Related Documentation¶

• Concepts: Monitoring
• SOPs: Monitoring Setup