Rsyslog in Linux: Configuration and setup

What is Rsyslog?

Rsyslog is a high-performance, open-source log collection and forwarding system widely used in Linux environments. It efficiently handles system logs, application logs, network device logs, and security events with strong reliability and flexible routing. Its speed, plugin ecosystem, and extensive configuration options make it suitable for both small setups and enterprise-scale logging.

Rsyslog acts as an enhanced syslog server and client that expands the original syslog standard with features like multi‐threaded processing, secure log transport, queue-based reliability, structured log formats, and integration with various storage and analytics platforms. Most Linux distributions use Rsyslog as the default logging service, centralizing log collection from local and remote sources.

How does Rsyslog work?

Rsyslog follows a modular, pipeline-driven architecture comprising three key stages:

1. Input: Inputs are modules that gather logs from various sources. Examples include imjournal for systemd journals, imtcp for TCP based log streams, imudp for UDP syslog, and imfile for file monitoring. Adjust each input to control how logs enter the system.
2. Processing: After receiving logs, Rsyslog actively applies filtering and transformation—such as severity and facility filtering, host and application routing, message parsing and normalization, tagging, and queue buffering—using precise filters and rules, giving full control over how each message is processed.
3. Output: Rsyslog supports a wide range of destinations including files, syslog servers, databases, cloud endpoints, and SIEM tools.

Its multi-threaded design enables parallel processing, making it suitable for high-volume log ingestion across distributed environments.

For example, consider a failed SSH login entry:

Jan 10 11:42:01 server1 sshd[2384]: Failed password for root from 192.168.10.25 port 54532 ssh2

Rsyslog captures this through imjournal, parses and classifies it during the processing stage, applies filters or tags (e.g., auth-failure), and finally delivers it to the configured output, such as /var/log/secure, a central log server.

Rsyslog ports and protocols

Rsyslog uses standard syslog ports by default:

• UDP 514 – Traditional syslog
• TCP 514 – Reliable syslog
• TCP 6514 – Syslog over TLS
• TCP 20514 – RELP (Reliable Event Logging Protocol)

Customize ports based on your network and security requirements.

Features of Rsyslog:

Rsyslog includes several capabilities that make it suitable for demanding infrastructure, security, and compliance requirements:

Performance

• Multi-threaded architecture for high-throughput, parallel log processing.
• Disk-based and memory-based queues to handle spikes and prevent message loss.
• Rate limiting to prevent overload and protect log collectors.

Security

• Reliable TCP and TLS-encrypted transport to ensure secure, authenticated delivery.
• Support for structured logs (JSON, RFC 5424) for integrity and consistent formatting.

Flexibility

• Parsing and normalization via mmnormalize to standardize diverse log formats.
• Dynamic templates for creating custom output formats.
• Support for both legacy and modern syslog standards for full compatibility.
• Module-based integrations with databases, cloud services, and analytics platforms.

These capabilities allow Rsyslog to function as both a lightweight logger and a full-scale enterprise log router.

Rsyslog configuration

Rsyslog configuration files are located at:

Syntax:

/etc/rsyslog.conf (for global settings)
/etc/rsyslog.d/ (for additional rule files and modular configuration files)
        

Key configuration components:

1. Loading modules

Modules enable specific capabilities such as TCP reception, file monitoring, and database output.

Syntax:

module(load="imtcp")
module(load="imudp")
module(load="omfile")
        

2. Defining inputs

Inputs specify how Rsyslog receives logs. For instance:

Syntax:

input(type="imtcp" port="514")
        

This lets the server accept incoming syslog messages over TCP.

3. Writing rulesets

Rulesets group filters and actions. They make it possible to route logs differently based on their source or content. Rulesets are especially helpful when building relay layers or separating security logs from general system logs.

4. Configuring actions

Actions define what happens to messages, including writing them to files, sending them to a remote syslog server, posting them to a cloud endpoint, or inserting them into a database. For instance:

Syntax:

 action(type="omfile" file="/var/log/custom.log")
        

5. Creating templates

Templates allow full control over output formatting, which helps maintain consistent logs for log management tools. Rsyslog’s configuration system is powerful and flexible, which is why many enterprise teams adopt it for large‐scale log routing.

Syntax:

 template(name="simpleFormat" type="string"
         string="%timestamp% %msg%\n")
action(type="omfile"
       file="/var/log/simple.log"
       template="simpleFormat")
        

How to set up centralized logging on Linux with Rsyslog

Centralized logging with Rsyslog allows you to aggregate logs from multiple Linux servers into a single location. This not only simplifies monitoring and troubleshooting, but also strengthens security and compliance by ensuring that logs are consistently captured and stored. Components of centralized logging:

• Rsyslog server (Central server) – Receives logs from multiple clients.
• Rsyslog clients (Remote hosts) – Send logs to the central server.
• Network protocols – TCP or UDP, optionally with TLS for security.

Here’s a step-by-step guide to setting up centralized logging with Rsyslog

Step 1: Install Rsyslog on all servers

Install Rsyslog on both client servers and the central server.

• Debian/Ubuntu:

  Syntax:

  Copy

  sudo apt update
          

  Syntax:

  Copy

  sudo apt install rsyslog -y
          

• RHEL/CentOS/Fedora:

  Syntax:

  Copy

  sudo yum install rsyslog -y
          

  Enable and start Rsyslog so it runs automatically on system boot:

  Syntax:

  Copy

  sudo systemctl enable rsyslog
  sudo systemctl start rsyslog
          

Step 2: Configure clients to forward logs

Each client server must forward logs to the central server. Edit /etc/rsyslog.conf or create a new file under /etc/rsyslog.d/.

Rsyslog client server configuration example:

Syntax:

*.* @@central-server-ip:514
        

• *.* -> Captures all facilities and severities.
• @@ -> Uses TCP for reliable delivery (@ for UDP).
• Central-server-ip -> Replace with the IP of your central server.
• 514 -> Default syslog port.

Restart Rsyslog on the client:

sudo systemctl restart rsyslog
        

Step 3: Configure the central server to receive logs

Enable TCP and UDP reception and define log storage directories.

Central server configuration example:

Syntax:

# Load UDP and TCP modules
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")
# Organize logs per client and program
$template ClientLogs,"/var/log/clients/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?ClientLogs
        

• imudp and imtcp → Receive logs over UDP and TCP.
• template → Saves logs in structured folders for easier management.

Restart Rsyslog on the central server:

sudo systemctl restart rsyslog
        

Step 4: Test the configuration

1. Send a test log from a client:

   Syntax:

   Copy

   logger "Test message from client server"
           

2. Verify it on the central server:

   Syntax:

   Copy

   tail -f /var/log/clients/client-server-hostname/messages.log
           

In high-volume environment,

• Enable queues to avoid log loss during spikes.
  Copy

  main_queue(
    queue.type="LinkedList"
    queue.size="10000"
    queue.dequeuebatchsize="1000"
  )
          

• Implement load balancing to distribute logs across multiple central servers.
• Use log rotation to manage disk space.
• Apply filters and templates to organize logs and reduce clutter.

Rsyslog vs Syslog-ng

Rsyslog and syslog-ng are popular syslog servers used to collect, process, and forward logs in Linux environments. While both extend traditional syslog functionality, they differ in performance, configuration, and extensibility.

Rsyslog is engineered for high performance and scalability. It leverages a multi-threaded architecture capable of processing large volumes of events per second, making it ideal for dynamic, high-volume environments. Its modular design allows for custom input, parsing, and output handling, and it seamlessly integrates with SIEM solutions such as EventLog Analyzer, Elastic Stack, and Kafka.

On the other hand, syslog-ng focuses on structured configuration and readability. Its block-based configuration (source, destination, filter, log) makes complex setups easy to manage and understand. In many typical configurations, syslog-ng delivers lower throughput compared to Rsyslog. However, it excels in advanced parsing— including pattern matching and JSON support—and offers enterprise features in its commercial edition, making it suitable for compliance-heavy setups.

Both tools are powerful logging solutions, but Rsyslog’s speed and versatility make it better suited for large-scale, cloud-native environments, while syslog-ng appeals to users who need readable configuration and enterprise support.

How EventLog Analyzer enhances Rsyslog?

Rsyslog is a powerful and flexible syslog server for Linux environments, highly efficient for collecting, parsing, and forwarding logs at the system level. However, as environments scale, organizations often need capabilities beyond Rsyslog’s native scope, enriching the data Rsyslog forwards and turning it into actionable insights.

Centralized log management:

EventLog Analyzer seamlessly integrates with Rsyslog by acting as a centralized syslog receiver, ingesting logs from Linux/Unix servers, network devices, firewalls, and applications forwarded through Rsyslog. The solution turns raw syslog data into visual dashboards, trends, and security insights, giving you a complete view of activity across hybrid environments.

Advanced parsing, indexing, and normalization:

While Rsyslog can perform basic filtering and templating, EventLog Analyzer enriches incoming logs with metadata, categorizes events, and builds an indexed store to support fast, intuitive searches across the entire infrastructure.

Real-time alerting and correlation:

EventLog Analyzer extends Rsyslog’s transport capabilities by analyzing incoming logs in real time. It detects suspicious activity, misconfigurations, and security breaches through automated correlation and alerts, helping security teams act swiftly.

Compliance-ready reporting:

EventLog Analyzer simplifies compliance by providing automated reports for key regulations such as PCI DSS, HIPAA, SOX, ISO 27001, and GDPR, eliminating the need for manual effort.

Log retention and forensics:

EventLog Analyzer provides tamper-proof archival, log retention policies, and historical search capabilities, and supports forensic investigations well beyond Rsyslog’s native scope.

By combining Rsyslog’s robust log forwarding with EventLog Analyzer’s advanced analytics and security capabilities, organizations gain a scalable, end-to-end log management workflow.

FAQs:

sudo tail -f /var/log/syslog
        

sudo systemctl restart rsyslog (or)  sudo  service rsyslog restart
        

sudo systemctl status rsyslog
        

What's next?