Configure Rsyslog Centralized Log Server on Ubuntu 24.04 / 22.04

Rsyslog is the default system logging daemon on Ubuntu and most Linux distributions. Beyond local log management, it can act as a centralized log server that collects logs from dozens or hundreds of remote hosts over the network. Centralized logging makes troubleshooting faster, simplifies compliance auditing, and gives you a single place to search when something breaks.

Original content from computingforgeeks.com - post 2675

This guide sets up an rsyslog centralized log server on Ubuntu 24.04, configures remote clients to forward their logs, and organizes incoming logs by hostname and program name. The same steps work on Ubuntu 22.04 with no changes.

How Centralized Rsyslog Works

The architecture is straightforward: one Ubuntu server runs rsyslog configured to listen on port 514 (UDP or TCP). All other servers, switches, and appliances send their syslog messages to this central server. The server stores logs organized by source hostname, making it easy to find logs for any specific host.

• UDP port 514 – traditional syslog, fire-and-forget (faster but no delivery guarantee)
• TCP port 514 – reliable delivery with connection tracking (recommended for production)

Most setups enable both protocols since some network devices only support UDP syslog.

Prerequisites

• An Ubuntu 24.04 or 22.04 server for the centralized log server
• One or more Linux clients to send logs (any distribution works)
• Port 514 (TCP and UDP) open between clients and the server
• Sufficient disk space on the server – centralized logs can grow quickly with many clients

Configure the Rsyslog Server

Rsyslog is pre-installed on Ubuntu 24.04. Verify it is running:

systemctl is-active rsyslog

Check the installed version:

rsyslogd -v | head -2

Ubuntu 24.04 ships rsyslog 8.2312.0:

rsyslogd  8.2312.0 (aka 2023.12) compiled with:
	PLATFORM:				x86_64-pc-linux-gnu

Enable Network Log Reception

Create a configuration file that enables UDP and TCP syslog reception and organizes remote logs by hostname:

sudo vi /etc/rsyslog.d/10-central.conf

Add the following configuration:

# Provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# Provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Store remote logs in /var/log/remote/HOSTNAME/PROGRAM.log
template(name="RemoteLogs" type="string" string="/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log")

if $fromhost-ip != '127.0.0.1' then {
    action(type="omfile" dynaFile="RemoteLogs")
    stop
}

This configuration does three things: loads the UDP and TCP input modules, defines a template that creates log files organized as /var/log/remote/hostname/program.log, and routes all non-local messages to those files while keeping local logs in their default locations.

The stop directive prevents remote logs from also being written to /var/log/syslog, which would mix local and remote messages.

Validate and Restart Rsyslog

Check the configuration for syntax errors before restarting:

sudo rsyslogd -N1

A valid config outputs:

rsyslogd: version 8.2312.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

Restart rsyslog to apply the changes:

sudo systemctl restart rsyslog

Verify rsyslog is listening on port 514:

ss -tlnup | grep 514

You should see both TCP and UDP listeners on port 514:

udp  UNCONN 0  0  0.0.0.0:514  0.0.0.0:*  users:(("rsyslogd",pid=1144,fd=6))
tcp  LISTEN 0  25 0.0.0.0:514  0.0.0.0:*  users:(("rsyslogd",pid=1144,fd=8))

Open Firewall Ports

If UFW is active, allow syslog traffic:

sudo ufw allow 514/tcp
sudo ufw allow 514/udp

For Rocky Linux / AlmaLinux servers acting as centralized log servers, use firewalld instead:

sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --reload

Configure Rsyslog Clients

On each server that should forward logs to the central server, add a forwarding rule to rsyslog. This works on any Linux distribution with rsyslog installed.

sudo vi /etc/rsyslog.d/90-forward.conf

Add the forwarding rule, replacing 192.168.1.100 with your centralized log server’s IP:

# Forward all logs to the centralized server via TCP
*.* @@192.168.1.100:514

The @@ prefix means TCP. Use a single @ for UDP. TCP is recommended because it guarantees message delivery.

To forward only specific facilities (like auth logs only), replace *.* with the facility:

auth,authpriv.* @@192.168.1.100:514

Restart rsyslog on the client:

sudo systemctl restart rsyslog

Test by sending a manual log message:

logger -t test "Hello from $(hostname)"

On the centralized server, check that the message arrived:

ls /var/log/remote/

You should see a directory named after the client’s hostname, containing log files organized by program:

/var/log/remote/rocky10-web01/
├── rsyslogd.log
├── sshd-session.log
├── systemd.log
├── systemd-logind.log
└── test.log

Log Rotation for Remote Logs

Remote logs can grow quickly when you have many clients. Set up logrotate to manage them:

sudo vi /etc/logrotate.d/remote-logs

Add a rotation policy:

/var/log/remote/*/*.log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
    create 0640 syslog adm
    sharedscripts
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

This keeps 14 days of compressed logs for each remote host. Adjust the rotate value based on your storage capacity and compliance requirements.

Secure Rsyslog with TLS

By default, syslog messages travel in plain text. For environments where log data crosses untrusted networks, encrypt the transport with TLS. Install the required module:

sudo apt install -y rsyslog-gnutls

On the server, add TLS configuration to /etc/rsyslog.d/10-central.conf. You need a certificate and key (Let’s Encrypt or self-signed):

module(load="imtcp"
    StreamDriver.Name="gtls"
    StreamDriver.Mode="1"
    StreamDriver.Authmode="anon")

global(
    DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca.pem"
    DefaultNetstreamDriverCertFile="/etc/ssl/certs/server-cert.pem"
    DefaultNetstreamDriverKeyFile="/etc/ssl/private/server-key.pem"
)

input(type="imtcp" port="6514")

TLS syslog conventionally uses port 6514. Clients connect using the @@ prefix with the TLS port.

Troubleshooting

No remote logs appearing

Check that rsyslog is listening on port 514 on the server (ss -tlnup | grep 514). Verify the firewall allows traffic on port 514. On the client, check the rsyslog service status and look for errors in /var/log/syslog.

Remote logs going to /var/log/syslog instead of /var/log/remote/

The stop directive in the central config file must come after the action() line. Without stop, messages continue through the rule chain and land in the default log files too. Also verify the file is loaded before the default config by using a low-numbered prefix like 10-central.conf.

Permission denied errors in rsyslog log

If rsyslog cannot create directories under /var/log/remote/, the syslog user needs write permission. Create the directory with the correct ownership:

sudo mkdir -p /var/log/remote
sudo chown syslog:syslog /var/log/remote

Conclusion

Rsyslog is collecting logs from remote hosts and storing them organized by hostname on your Ubuntu 24.04 server. For larger deployments with hundreds of hosts, consider forwarding logs to a dedicated log analysis platform like the ELK Stack (Elasticsearch, Logstash, Kibana) or Graylog for full-text search and dashboards. Refer to the official rsyslog documentation for advanced features including message filtering, database output, and queue management.