How to Setup Syslog Server on Ubuntu Server 24.04​

Monitoring logs is a critical part of maintaining a secure and stable IT environment. Syslog, a standard for message logging, allows machines and devices to send event notification messages across IP networks to centralized logging servers. In this guide, we walk you through how to set up a Syslog server on Ubuntu Server 24.04, enabling efficient log management and real-time monitoring for your infrastructure.

Why Use a Syslog Server?

Centralizing logs with a Syslog server offers key advantages:

  • Unified Monitoring: View logs from multiple devices in one place.
  • Security: Reduce local storage tampering risks by saving logs on a remote server.
  • Efficiency: Easier to analyze, search, and archive logs.

If you manage a variety of network devices, configuring a centralized Syslog server is a smart best practice.

Step 1: Installing Rsyslog on Ubuntu 24.04

Ubuntu 24.04 comes with rsyslog pre-installed. However, to ensure you are using the latest version, update your system and install it explicitly.

sudo apt update
sudo apt install rsyslog

Once installed, you can verify the status of rsyslog using:

sudo systemctl status rsyslog

If it’s not active, enable and start the service:

sudo systemctl enable rsyslog
sudo systemctl start rsyslog

Step 2: Configuring Rsyslog as a Syslog Server

To allow your server to accept remote log entries, you need to modify the Rsyslog configuration.

  1. Open the Rsyslog configuration file:
sudo nano /etc/rsyslog.conf
  1. Uncomment the following lines to enable UDP and/or TCP reception:
module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="514")

These lines configure Rsyslog to listen for Syslog messages on port 514, the standard Syslog port. If your network allows, using TCP provides more reliable transport.

Save and close the file, then restart the service:

sudo systemctl restart rsyslog

Step 3: Adjusting the Firewall Settings

Ensure that your server firewall allows incoming traffic on port 514 (UDP and/or TCP):

sudo ufw allow 514/tcp
sudo ufw allow 514/udp
sudo ufw reload

This ensures remote clients and devices can send logs properly to your Syslog server.

Step 4: Organizing Logs with Rsyslog

You can set up custom templates and rules to organize logs by host or facility. To create a directory for each client that sends logs:

sudo nano /etc/rsyslog.d/remote.conf

Insert the following:

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& stop

With this configuration, logs are saved under the sending host’s name, inside /var/log. This helps keep things neat and searchable.

Step 5: Sending Logs from a Remote Client

On a client machine, you can use rsyslog to send logs to the newly set up Syslog server. Edit the client’s Rsyslog configuration:

sudo nano /etc/rsyslog.conf

Add the following line to the bottom of the file, replacing 192.168.1.10 with your server’s IP address:

*.* @192.168.1.10:514

For TCP-based communication, use @@ instead of @:

*.* @@192.168.1.10:514

Then restart the rsyslog service on the client:

sudo systemctl restart rsyslog

Step 6: Verifying the Setup

Back on your Syslog server, navigate to /var/log and confirm that a new directory was created for your client with new log files inside. You can view logs using:

sudo tail -f /var/log/clienthostname/syslog.log

This allows real-time monitoring of logs as they’re received, a powerful tool for system admins and network engineers.

Bonus Tips

Here are some extra ideas for maintaining and enhancing your Syslog setup:

  • Log rotation: Use logrotate to prevent logs from consuming disk space.
  • Security enhancements: Enable TLS encryption for secure Syslog transfers.
  • Visualization: Integrate with tools like Kibana or Graylog for graphic-based log analytics.

Conclusion

Setting up a Syslog server on Ubuntu Server 24.04 is straightforward and opens up a world of centralized log management. With the right configuration, you ensure better visibility, faster troubleshooting, and enhanced security for your IT environment. Whether you’re managing a handful of devices or a full enterprise network, centralized logging should be a core part of your infrastructure strategy.

Lucas Anderson
Lucas Anderson

I'm Lucas Anderson, an IT consultant and blogger. Specializing in digital transformation and enterprise tech solutions, I write to help businesses leverage technology effectively.

Articles: 100