Server
Open access in UFW firewall port 514 tcp/udp:
ufw allow from 192.168.122.0/27 port 514
mkdir /var/log/rsyslog
chown root:adm /var/log/rsyslogThe following code in 90-rsyslog.conf should be placed before the “*.info;mail.none;authpriv.none;cron.none /var/log/syslog” entry which is done using directive $IncludeConfig /etc/rsyslog.d/*.conf in /etc/rsyslog.conf.
Be sure you replace server-name below with the name of your central logging server.
/etc/rsyslog.d/90-rsyslog.conf
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
# log each machine to own rsyslog directory
$template TmplAuth, "/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
$template TmplMsg, "/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv.* ?TmplAuth
*.info,mail.none,authpriv.none,cron.none ?TmplMsg
if ($hostname != 'server-name') then TmplAuth
if ($hostname != 'server-name') then TmplMsg
& ~Comment out end of file to disable error message about missing xconsole and add mail.none not to log Postfix messages to /var/log/syslog.
/etc/rsyslog.conf
# daemon.*;mail.*;\
# news.err;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole*.*;auth,authpriv.none;mail.none -/var/log/syslog
Verify rsyslog configuration:
rsyslogd -f /etc/rsyslog.conf -N9
You should receive message below otherwise check your log for error messages.
rsyslogd: End of config validation run. Bye.
Restart rsyslog daemon:
service rsyslog restart
/etc/logrotate.d/rsyslog
#insert right after first line
/var/log/syslog
#to rotate logs from remote syslog
/var/log/rsyslog/*/*.logClient
Add following line at end of the file.
/etc/rsyslog.conf
*.* @home-server:514
service rsyslog restart
List of clients
home-switch
home-receiver
faix-receiver
