Monitoring logs is a critical part of maintaining a secure and stable IT environment. Syslog, a standard for message logging, allows machines and devices to send event notification messages across IP networks to centralized logging servers. In this guide, we walk you through how to set up a Syslog server on Ubuntu Server 24.04, enabling efficient log management and real-time monitoring for your infrastructure.
Centralizing logs with a Syslog server offers key advantages:
If you manage a variety of network devices, configuring a centralized Syslog server is a smart best practice.
Ubuntu 24.04 comes with rsyslog pre-installed. However, to ensure you are using the latest version, update your system and install it explicitly.
sudo apt update
sudo apt install rsyslogOnce installed, you can verify the status of rsyslog using:
sudo systemctl status rsyslogIf it’s not active, enable and start the service:
sudo systemctl enable rsyslog
sudo systemctl start rsyslogTo allow your server to accept remote log entries, you need to modify the Rsyslog configuration.
sudo nano /etc/rsyslog.confmodule(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")These lines configure Rsyslog to listen for Syslog messages on port 514, the standard Syslog port. If your network allows, using TCP provides more reliable transport.
Save and close the file, then restart the service:
sudo systemctl restart rsyslogEnsure that your server firewall allows incoming traffic on port 514 (UDP and/or TCP):
sudo ufw allow 514/tcp
sudo ufw allow 514/udp
sudo ufw reloadThis ensures remote clients and devices can send logs properly to your Syslog server.
You can set up custom templates and rules to organize logs by host or facility. To create a directory for each client that sends logs:
sudo nano /etc/rsyslog.d/remote.confInsert the following:
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& stopWith this configuration, logs are saved under the sending host’s name, inside /var/log. This helps keep things neat and searchable.
On a client machine, you can use rsyslog to send logs to the newly set up Syslog server. Edit the client’s Rsyslog configuration:
sudo nano /etc/rsyslog.confAdd the following line to the bottom of the file, replacing 192.168.1.10 with your server’s IP address:
*.* @192.168.1.10:514For TCP-based communication, use @@ instead of @:
*.* @@192.168.1.10:514Then restart the rsyslog service on the client:
sudo systemctl restart rsyslogBack on your Syslog server, navigate to /var/log and confirm that a new directory was created for your client with new log files inside. You can view logs using:
sudo tail -f /var/log/clienthostname/syslog.logThis allows real-time monitoring of logs as they’re received, a powerful tool for system admins and network engineers.
Here are some extra ideas for maintaining and enhancing your Syslog setup:
logrotate to prevent logs from consuming disk space.Setting up a Syslog server on Ubuntu Server 24.04 is straightforward and opens up a world of centralized log management. With the right configuration, you ensure better visibility, faster troubleshooting, and enhanced security for your IT environment. Whether you’re managing a handful of devices or a full enterprise network, centralized logging should be a core part of your infrastructure strategy.