How to configure Ubuntu to log to a remote syslog server

I just installed a new Syncology 814 server in our rack to give us some more storage for backups.   It is very simple to use and well made.  While browsing through the software that comes with the NAS,  I discovered it has a centralised syslog server. There are instructions for installing the Syncology syslog server are here:

I’ve always wanted to centralise the syslogs of my servers to help with debugging. The key reasons are ensure that we have logs in the event a server was hacked and if a virtual machine crashes I can review the logs before restarting it.

Anyhow, I found it hard to find instructions for configuring Ubuntu 12.04 to send their syslog messages to the syslog server. As always – it is really simple when you know how.

Ubuntu uses a service called rsyslogd.  Its configuration file is located at:

/etc/rsyslog.d/50-default.conf

This file tells the deamon where to log each type of message. For example – the follow entry means that all cron message are sent to /var/log/cron.log:

cron.* /var/log/cron.log

If you want to the cron messages to also be sent our new remote syslog server, then you can add this entry.

cron.* @syslogserverhostname:514

To keep it really simple – I wanted all my messages send to the syslog server.  Why not – you can always filter them later.  I simply added:

*.* @syslogserverhostname:514

You need to restart the rsyslogd for the settings to take affect.

service rsyslog restart

Voila.  Happy Syslogging.

8 thoughts to “How to configure Ubuntu to log to a remote syslog server”

  1. HI team , been struggling with Ubuntu12 appliances from Mcafee ( SVA MOVE ) to get them to trap to our central syslogng server . All other servers like ESXi are trapping perfectly to our syslogng hub. I added the *.* statement to the end of /etc/rsyslog.d50-default.conf and restarted services . The appliances don’t have telnet or much else you can use to troubleshoot . Logger messages don’t arrive a syslogng , how do I troubleshoot ? I am very new to Linux .

    Was thinking perhaps 514 is blocked , I did also see there is a service called SVA-Firewall , some sort of proprietry thing but it simply refers to iptables and all looks open .

    Any help please ?

    1. HAHA , ended up being /etc/ryslog.d/25-discard.conf , I hashed out the discard *.info and *.debug , and it works now , not sure if this is a good idea , but looks like it works . Sorry , as I said , I am new to this

Leave a Reply