Set up syslog server in Ubuntu Server 16.04 w/ Log Rotation

This is just a post to save some configuration I setup for myself in my home lab. I configured a small Ubuntu Server 16.04 server to act as my lab’s syslog server. This way I can centralize and store my log files from multiple servers and appliances in one place. Mostly educational on my part. Centralized logging is good cyber security practice when combined with some search and analysis tools.

I performed this setup on a standard base Ubuntu 16.04.2 installation. I installed the OS w/ OpenSSH and did the patches to get it current. Here are the steps:

Open the /etc/rsyslog.conf file and edit it so rsyslog will listen for incoming messages.

sudo nano /etc/rsyslog.conf

Edit line 18, 19, 22, 23. Remove the comment hash to enable the UDP and TCP plug-ins and start the listener.

module(load=”imudp”)
input(type=”imudp” port=”514″)

module(load=”imtcp”)
input(type=”imtcp” port=”514″)

Add at line 57 before the other local configuration files are loaded.

$template PerHostLog,”/var/log/remote/%HOSTNAME%/syslog.log
if $fromhost-ip startswith ‘192.168.1.’ then -?PerHostLog
& ~

Save and close the file. You can restart the rsyslog service or reboot. I did a reboot (its on a VM that has fast storage).

These changes will activate the UDP and TCP server modules and attach listener ports to them. Change the port number as required. I left my install at the defaults (port 514). This is fairly common. The lines we added at line 57 tell rsyslog to store logs from network hosts at 192.168.1.0 inside the /var/log/remote folder. These logs will be stored in a folder using the host name of the sender and the filename syslog.log. The “& ~” tells rsyslog to stop processing rules, otherwise these logs get written into the local log files, logging them twice.

Now I went another step further and setup the log rotation so that logs are archived and stored, then deleted as they get old. Open up the configuration for logrotate.

sudo nano /etc/logrotate.d/rsyslog

Scroll down to the bottom and add the following:

/var/log/remote/*
{
rotate 12
monthly
missingok
notifempty
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}

These settings tell logrotate to purge more than 12 old files, do the rotation monthly, skip if files are missing, don’t rotate empty files, leave the last file uncompressed, run other scripts, reload syslog so new files are created and end the script and carry on.

Obviously this is just basic and there is a lot more we could do, like separating auth-priv logs from mail logs and such. For now this will meet my general purposes of testing and playing with a central syslog server.

These instructions were modified from the following sources. Thanks for your inspiration.

Leave a Reply