What is Linux Syslog Server and how to manage server logs??

What is Linux Syslog Server and how to manage server logs??

Syslog stands for “System Logging Protocol”. It is a standard for message logging and is a protocol used to forward logs on devices such as routers, switches, firewalls, etc. Every single device on the network including linux machines, windows machines, switches, routers, all generate logs of some kind.

If we need to check the log for a switch , we need to access that particular device to get the related logs. Devices may not hold logs for long time. If something happens on any of these devices and if the device is no longer accessible, the logs could be lost.

This is where the “syslog server”comes into action. Syslog server serves as a centralized location that holds log of all devices in the environment in one place. Hence it is easier to compare and to co-relate the events and their sequences from different devices in a single place. We can forward device logs using the protocol “syslog” to a centralized “syslog server”.

Most network equipments, like routers, switches, firewalls, printers, and even web-servers like Apache can send Syslog messages. Windows-based servers don’t support Syslog natively, but there are third party tools available to collect Windows Event Log and forward it to a Syslog server.

Syslog is widely accepted for its simplicity as there is no complex requirements between the Sending device and Receiving Server.

Syslog is part of the Transport layer in the OSI Model, using User Datagram Protocol (UDP) to transport/transfer information across the network. It uses UDP protocol on port number 514.

Most of the linux distributions come with an logging component pre-installed like syslog and rsyslog. Rsyslog is an Open Source logging service. It is also the default logging service in CentOS 7 / RHEL 7. Rsyslog can forward the logs to text files in /var/log/ folder, databases and even to different hosts. It supports MySQL, PostgreSQL, Oracle, SQLite, Microsoft SQL, Sybase, Firebird, and mSQL databases. Rsyslog can be run in both server and client mode.

Basic rsyslog configuration

Configuration file of rsyslog is “/etc/rsyslog.conf”.

Each line in this file contains a “selector” and a corresponding “action”. Selector contains facility and priority.

eg: cron.* /var/log/cron

In the above example “cron.*” is the “selector” and “/var/log/cron” is the action.

The asterisk “*” is used as wildcard to represent the priorities like debug, warning, err etc. Here all types of logs from cron will be forwarded to “/var/log/cron”.

Syslog facilities

In syslog, a facility code is being used to specify the type of program that is logging the message. Messages with different facilities will be handled differently. The following aresome of the major syslog facilities in Linux:

auth                 Security related messages.

auth-priv          Private authentication messages.

cron                 Message generated by cron subsystem.

daemon           System daemons.

kern                 Kernel messages.

mail                 Mail messages.

syslog              Messages generated internally by syslogd

We have two additional special facilities :

→the asterisk (*) which means all facilities

→none which means no facility at all.

Look at the following examples to understand these special facilities.

*.emerg           /var/log/emerg

This line says send all messages of the emergency priority to /var/log/emerg file.

mail.none /var/log/maillog

This tells rsyslog not to log any mail messages to the file /var/log/maillog.

Configuring rsyslog client


1. # vi /etc/rsyslog.conf

2. To store the logs to a remote rsyslog server, paste the below lines at the bottom of the rsyslog.conf file, above the line “# ### end of the forwarding rule ###”

Eg: *. * @<IP Here>:514 ( use a single “@” for UDP and “@@” for TCP protocols).

#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g., port optional

*.* @@<IP>:514

# ### end of the forwarding rule ###

It directs the rsyslog to send all the logs to the remote host at the IP via 514/UDP port.

Log priorities

We can set priority levels using some special characters. Different priority levels in syslog are:


debug              debugging messages

info                  informational messages

notice              normal, but significant, condition

err                    error conditions

warning           warning conditions

crit                   critical conditions

emerg              emergency condition, system is unstable

alert                 action must be taken immediately


There are four new specifiers used along with priorities which are:


*          wildcard, all type of priorities can be logged

=          restrict logging to specified priority

!           exclude logging of specified priority

–           used to prefix a filename if you want to omit syncing the file after every write to it


Some samples of Rsyslog priority level qualifiers in CentOS 7 are given below.

kern.info = kernel logs with info priority and higher.
kern.=info = only kernel messages with info priority.
kern.info;kern.!err = only kernel messages with info, notice, and warning priorities.
kern.debug;kern.!=warning = all kernel priorities except warning.
kern.* = all kernel priorities messages.                                                                                                                                                                                                                                                                                                                                                                      kern.none = don’t log any related kernel facility messages regardless of the priority.

Rsyslog actions

Syslog can have many actions even though only one can be included in a rule.

→ Filename can be listed in the action field

→ Usernames can be specified

→ Messages can be sent to remote machines

→ An asterisk to message all logged in users

If we want to send only a specific facility messages to a remote log server, such as all related mail messages regardless of the priority level, add the below line to rsyslog configuration file:

mail.* @

Once we have made changes to the syslog configuration file, the service needs to be restarted to pick up the changes.

# systemctl restart rsyslog.service


Leave a Reply

Your email address will not be published. Required fields are marked *

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code

close slider