Support
 
Support Get Quote
 
 
 
 
 
Email Download Link

How to configure syslog server in Linux

Last updated on:

In this page

What is a syslog server?

A syslog server is a system configured to receive, store, and analyze syslog messages sent by Linux servers, network devices, firewalls, and applications. Instead of checking logs individually on each device, a syslog server centralizes all logs into a single location, enabling efficient troubleshooting, monitoring, and security auditing.

Linux supports several syslog daemons, including:

  • Rsyslog: default on most modern distributions
  • Syslog-ng: advanced filtering and modularity
  • Systemd-journald: binary-based logging used in systemd systems

A syslog server listens on:

  • UDP 514: fast, but unreliable
  • TCP 514: reliable log delivery
  • TCP/TLS: secure, encrypted syslog transmission

Learn more about syslogs

How the Linux syslog architecture works

Before configuring a syslog server, it’s important to understand how syslog flows within Linux. A typical syslog pipeline includes:

  1. Applications/services generate logs
  2. Syslog daemon (rsyslog/syslog-ng/journald) collects, parses, and processes logs
  3. Output modules forward logs to a remote syslog server or store them locally

Linux syslog daemons such as rsyslog support both RFC 3164 and RFC 5424. Network devices commonly use RFC 3164, while modern Linux applications typically use RFC 5424, which includes priority, facility, severity, timestamp, hostname, and structured data.

Prerequisites for configuring a syslog server

Before configuring the server:

  • Install a syslog daemon such as rsyslog, syslog-ng, or ensure systemd-journald is running.
  • Check network connectivity between log sources and the syslog server.
  • Ensure firewall rules allow inbound syslog traffic (UDP/TCP 514 or TCP 6514).
  • Use root or sudo privileges for configuration changes.
  • Enable time synchronization (chrony or NTP) to maintain accurate timestamps.

Configure Rsyslog as a syslog server

Rsyslog is the default syslog daemon in most modern Linux distributions.

Step 1: Install rsyslog (if not installed)

Syntax:

sudo apt install rsyslog     # Ubuntu/Debian
sudo yum install rsyslog   # RHEL/CentOS

Step 2: Enable UDP/TCP reception

Edit /etc/rsyslog.conf and uncomment:

Syntax:

module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="514")

Step 3: Create a custom log file for remote logs

Add this to /etc/rsyslog.d/remote.conf:

Syntax:

$template RemoteLogs,"/var/log/remote/%HOSTNAME%.log"
*.* ?RemoteLogs

Step 4: Restart rsyslog

sudo systemctl restart rsyslog

Your server is now ready to receive logs over UDP/TCP 514.

Configure syslog-ng as a syslog server

syslog-ng is a flexible, high-performance logging daemon.

Step 1: Install syslog-ng

Syntax:

sudo apt install syslog-ng
sudo yum install syslog-ng

Step 2: Configure sources, destinations, and log paths

Edit /etc/syslog-ng/syslog-ng.conf:

Syntax:

source s_net { udp(port(514)); tcp(port(514)); };

destination d_remote { file("/var/log/remote/$HOST.log"); };

log { source(s_net); destination(d_remote); };

Step 3: Restart syslog-ng

Syntax:

sudo systemctl restart syslog-ng

Configure systemd-journald for remote logging

While systemd-journald does not natively accept remote logs, it can forward logs to a remote syslog server. Starting with systemd 254+, systemd-journal-remote enables native remote journal reception; however, in most production environments especially those requiring multi-vendor log aggregation, forwarding logs to rsyslog or syslog-ng remains the standard approach.

Step 1: Edit journald.conf

Open /etc/systemd/journald.conf and enable forwarding:

Syntax:

ForwardToSyslog=yes

Step 2: Restart systemd-journald

Syntax:

sudo systemctl restart systemd-journald

Step 3: Configure rsyslog/syslog-ng to receive forwarded logs

(Use the steps above accordingly.)

Open firewall ports for syslog

To allow syslog traffic if Firewalld is enabled,

Syntax:

sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload

If using UFW (Ubuntu/Debian)

sudo ufw allow 514/udp
sudo ufw allow 514/tcp

Verify syslog server connectivity

  1. Use logger command to test from a client machine

    logger "Test message from client"

  2. Check remote log files

    tail -f /var/log/remote/*.log

  3. Use netcat to test port connectivity

    nc -vz <syslog-server-ip> 514

  4. Check logs on the server:

    sudo tail -f /var/log/remote/*.log

If logs appear, the server is receiving syslogs correctly.

Log rotation

Configure log rotation on the syslog server to prevent log files from growing indefinitely and consuming disk space. For high-availability deployments, consider enabling rsyslog disk-assisted queues (for example, using queue.type="LinkedList"), which buffer logs locally during network outages and forward them once connectivity is restored. This helps prevent log loss in unstable or high-volume environments.

Troubleshooting syslog server issues

If syslogs are not arriving:

  1. Check if rsyslog is listening

    sudo ss -tulnp | grep 514

  2. Verify SELinux

    To allow syslog daemons to write logs:

    sudo setsebool -P syslogd_disable_trans 0

    To allow rsyslog to bind to standard ports (UDP and TCP 514):

    sudo semanage port -a -t syslogd_port_t -p udp 514
sudo semanage port -a -t syslogd_port_t -p tcp 514

    These commands ensure SELinux does not block log writing or port binding, which are common reasons syslogs fail to reach the server.

  3. Check for typos in configuration

    sudo rsyslogd -N1

  4. Verify client configuration

    Ensure the client has the correct forwarding rule:

    *.*   @<server-ip>:514     # UDP
*.*   @@<server-ip>:514    # TCP

    Once your syslog server is up and running, the next step is making your logs easily searchable, correlated, and audit-ready.

After configuring your syslog server: Enhance monitoring with EventLog Analyzer

Setting up a syslog server in Linux ensures your devices can forward logs to a central destination but viewing, filtering, correlating, and analyzing those logs still requires significant manual effort.

EventLog Analyzer transforms your configured syslog server into a full-fledged syslog monitoring solution. Instead of relying on terminal-based grep filters, ad hoc scripts, or scattered log files, the solution consolidates all incoming syslog events into a unified log management console. It automatically parses logs based on attributes like severity, facility, and source, making it easier to interpret high-volume data from routers, firewalls, servers, and applications.

Capability Your Linux syslog server With EventLog Analyzer
Log collection Configured Auto-discovery of syslog sources
Viewing logs tail -f and grep Searchable dashboard with real-time streaming
Filtering Manual regex patterns Point-and-click filters by IP, severity, facility
Threat detection Not available Correlation rules with real-time alerts
Compliance reporting Manual log export Prebuilt reports for the PCI DSS, HIPAA, ISO 27001
Retention and archiving Manual log rotate configuration Automated, encrypted, tamper-proof archives

Secure and centralized syslog collection

EventLog Analyzer’s built-in syslog listener (UDP/TCP/TLS) securely receives logs from distributed environments and provides metrics such as message rate, device contribution, and packet flow status. This eliminates the need for separate collectors or additional configuration once your Linux syslog server is set up.

From basic log forwarding to intelligent analysis:

  • Centralized log visibility: Aggregate syslog messages from Linux systems and network devices into a single dashboard, no manual navigation across /var/log files.
  • Automated parsing and categorization: EventLog Analyzer structures raw syslogs into readable fields, helping you understand issues quickly without command-line decoding.
  • Instant filtering: Apply real-time filters using IP, severity, keywords, or event types to isolate relevant logs in seconds.
  • Real-time troubleshooting: View streaming syslog events enriched with metadata, giving you real-time troubleshooting similar to tail -f but with actionable intelligence.
  • Threat detection: Detect failed login spikes, configuration tampering, abnormal access attempts, and lateral movement with correlation rules.
  • Compliance reporting: Map syslog events to th e PCI DSS, the GDPR, HIPAA, ISO 27001, and other regulations for audit-ready reports.

Once your Linux syslog server is configured, EventLog Analyzer brings centralized visibility, powerful threat detection, and automated workflows, turning raw syslogs into actionable insights.

FAQ

To configure a syslog server in Linux, install or enable a syslog daemon like rsyslog, open its configuration file (for this instance /etc/rsyslog.conf), and enable modules such as imudp or imtcp to receive remote logs. Then define log-routing rules, set permissions for log directories, restart the service, and allow port 514 through the firewall. This turns your Linux machine into a central syslog receiver.

Use the logger command:

logger "Test message"

If remote forwarding is enabled, send a test message to the syslog server using:

logger -n <server_ip> -P 514 "Test message".

Then check the destination log file for the message.

The syslog configuration file is usually located at,

  • /etc/rsyslog.conf
  • /etc/rsyslog.d/*.conf
  • /etc/syslog-ng/syslog-ng.conf

Run systemctl status rsyslog to see whether the syslog service is active. Additionally, you can check log files under /var/log/ or confirm that the rsyslog process is running using ps aux | grep rsyslog.

To send logs to a remote syslog server, edit /etc/rsyslog.conf (or a file inside /etc/rsyslog.d/) and add a forwarding rule like:

*.* @<server_ip>:514 for UDP or
*.* @@<server_ip>:514 for TCP.

Save the file and restart rsyslog to apply the changes.

What's next?

Configured your syslog server? Now centralize and analyze your logs with EventLog Analyzer. Explore the solution with a 30-day free trial, or receive a personalized web demo.

DownloadGet a product tour

EventLog Analyzer Trusted By

Los Alamos National Bank Michigan State University
Panasonic Comcast
Oklahoma State University IBM
Accenture Bank of America
Infosys
Ernst Young

Customer Speaks

  • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
    Benjamin Shumaker
    Vice President of IT / ISO
    Credit Union of Denver
  • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
    Joseph Graziano, MCSE CCA VCP
    Senior Network Engineer
    Citadel
  • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
    Joseph E. Veretto
    Operations Review Specialist
    Office of Information System
    Florida Department of Transportation
  • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
    Jim Lloyd
    Information Systems Manager
    First Mountain Bank
TestimonialsCase Studies

Awards and Recognitions

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
A Single Pane of Glass for Comprehensive Log Management
Log ManagementLog AnalysisIT ComplianceSIEMQuick LinksRelated Products

A Single Pane of Glass for Comprehensive Threat Management

Free Trial Get Quote
Email Download Link