Raspberry PI: Ubuntu rsyslog server

I decided a while back that my home network needed some kind of centralised system logging mechanism. Actually, I was rummaging around in some old junk and found my old Raspberry PI version 2 and it got me thinking that it was just going to waste doing nothing sitting there and what a wonderful idea it would be to actually set up the home office syslog server that has been a long time coming.

I did a quick format of the SD card and install of Ubuntu 18.04.2 LTS.
At the time of writing you can download the OS from here https://www.ubuntu.com/download/iot/raspberry-pi-2-3 selecting the appropriate image for your PI. I set about eagerly getting all the basics in place, network connectivity, host-name etc. I had to look at some of the guides online as admittedly it had been some time and I had never exactly set up a syslog server before. But hey, how hard can it be!

Rsyslog Setup

My version of Ubuntu came with the rsyslog component already installed. I added a new dynamic configuration file under /etc/rsyslog.d/10-remote.conf any .conf files under this directory are automatically loaded on service startup.

My personal preference is nano but user whichever editor you prefer

sudo nano /etc/rsyslog.d/10-remote.conf

then I added the following lines

$ModLoad imudp
$UDPServerRun 514
#$AllowedSender UDP, 192.0.2.0/24 

$template RemoteStore, "/var/log/remote/%HOSTNAME%/%programname%/%timegenerated:1:10:date-rfc3339%.log"
:source, !isequal, "localhost" -?RemoteStore
:source, isequal, "last" ~

I commented out the allowed sender command, as in may case access is only permitted from within the internal network enforced by ACLs on the router. But I have left it in case it comes in use. You can also configure the server to receive over TCP however syslog is typically used over UDP and I will only be using UDP. You can mess with the $template line to get the logs to output into the file system almost however you would like. %variables% are dynamic.

After restarting the service using the following command I proceeded to test the setup.

sudo service rsyslog restart

Testing

I used a simple PHP script on my Windows machine to send a syslog message to my newly configured syslog server.

function send_remote_syslog($message, $component = "TestComponent", $program = "TestProg") {
    $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
    foreach(explode("\n", $message) as $line) {
        $syslog_message = "<22>" . date('M d H:i:s ') . $program . ' ' . $component . ': ' . $line;
        socket_sendto($sock, $syslog_message, strlen($syslog_message), 0, '192.168.10.150', 514);
    }
    socket_close($sock);
}

send_remote_syslog("Test");

The resulting log file can be found under /var/log/remote/TestProg/TestComponent/date.log

resulting log file

Leave a Reply

Your email address will not be published. Required fields are marked *