Skip links

A tutorial on remote logging with rsyslog

August 16, 2011 at 1:49 PM - by Freek Lijten - 17 comments

Tags: , ,

Why are you logging data? Two reasons come to my mind specifically: statistics and debug information. In the first case not being able to access your data for a period of time is not that big of a deal, statistics are only significant if you can collect them over a long timeframe. But if a specific server has an all out breakdown, and one service after another crashes, you want to determine what is happening right now. But then you'd have to have access to your logs over ssh. And this service has just crashed too...

Once again we can count on our OS for offering a solution to this problem. Starting in 2004 Rainer Gerhards started writing rsyslog, a logging daemon which offers remote logging and strong filtering capacities. This article will cover setting up the system for remote logging and show some examples of possible day to day use. I will include the standard syslogs as well as apache's access and error logs


Be careful if you start changing your logging setup. Backup relevant data and check if your new setup still functions properly afterwards. This article is just an introduction, not a faultless reference. If you don't know what something means or does, look it up please. Backups of configuration files might come in handy too. If I made a mistake and you found out, please inform me as well.

Logging on linux: a small and very incomplete history

Back in the days, when the empire strikes back was still seen as a masterpiece of special effects, Eric Allman created a logging standard for sendmail. This standard soon was adopted by other programs and became the de facto logging standard for unix systems. A small 20 years later syslog-ng, an open source implementation of syslog, emerged. This brought huge improvements in the fields of filtering and configuration. Finally almost in present times (2004) Aforementioned Rainer Gerhards started writing rsyslog as a competitor for syslog-ng because he thought a competitor was simply necessary.

Getting started

Now this is easy, we're on linux after all. aptitude install rsyslog should be enough. What you could do is check if there are other logging daemons running on your system (or maybe you already have rsyslog running). You might run into sysklogd and others. You'll not be needing them as we're going to start remote logging. If you check de rsyslog.conf file in /etc you'll see that is set up for local logging at the moment. For now remove every rule from the file and add only one line:

*.* @

If you now restart rsyslog every priority of every facility will be send to a server with ip over UDP. By adding a second @ in front of the first and changing your port you can send using TCP but I don't mind a log getting lost every now and then so UDP will do just fine. The *.* may be a bit much. If you know that all you are going to do with specific logs is drop them on the receiving server you might as well drop them on sending servers and spare the bandwidth. Read onwards to see how.

That is all for syslog purposes, but we still need to get Apache to also use syslog instead of listening to its own commands. For the error log this is quite simple, we can tell it to use syslog and be finished with it. For the access logs things lie a little different. I disabled other logging rules in our apache setup and put the following rules in /etc/apache2/conf.d/logging.conf (The filename is free to choose, the location isn't):

CustomLog "|/usr/bin/logger -t apache -i -p local6.notice" procurios-syslog
error log syslog

As you can see error log isn't that big of a deal, but for the access logs we need to have CustomLog do something peculiar. Every access log is piped to /usr/bin/logger which results in the log getting received by rsyslog. As you can see the facility (local6) and priority (notice) are also passed along. Finally a specific log format is chosen (procurios-syslog: in this case defined somewhere else in the same file).

So every server is sending syslogs, apache error logs and apache access logs to,  the only problem is: at no one is listening....

Setting up the host

To get to listen we need to change its rsyslog.conf file as well. Below is what is needed to listen for UDP on port 514 (there should be a bunch of other stuff in your file, if you installed rsyslog via aptitude it should be there and you only have to uncomment the UDP part).

$ModLoad imudp
$UDPServerRun 514

The configuration above results in exactly three things:

  1. A module is loaded, making our rsyslog set up and capable of listening for UDP packages.
  2. An ip address is defined, if this is left out or a * is used all ips this server knows are listened to. In general you probably don't want this, in our case the machine only listens to its local ip, meaning there can be no outside flooding.
  3. The port where rsyslog needs to be listening is defined.

If you restart rsyslog you can then check if your configuration worked. Using the command netstat -nlp you should get a result which looks like this:

udp        0      0 *          16637/rsyslogd

Storing the incoming logs

So every log from every server is now received at If you want them al in one file all you'll need to do is add a single rule to your rsyslog.conf and restart it:

*.* /var/log/oneGiantHeapOfLogs.log

As this is probably exactly what you don't want we'll need some filters. But before we do that I'll need to introduce you to another concept called templates.


Since a lot of servers are sending logs to one machine it won't do to simply filter out local6.notice to /var/log/apache-access.log. You'll want the access logs per server at least! The same goes for other stuff so we'll need a way to dynamically put logs of the same facility into different files. For this purpose templates are used. Below are some examples of what we use:

$template syslog,"/var/log/external/%fromhost%/syslog.log"
$template apacheError,"/var/log/external/%fromhost%/apache/error.log"
$template apacheAccess,"/var/log/external/%fromhost%/apache/%msg:R,ERE,1,ZERO:imp:([a-zA-Z0-9\-]+)\.--end%-access.log"
$template mailError, "/var/log/external/%fromhost%/mail/error.log"

There are two things happening here. First of all you'll notice %fromhost%. This is a placeholder which is dynamically replaced with the DNS-resolved hostname of the machine the current log came from. Other options to use are found here.

The second placeholder (%msg:....) a bit more obscure but in the end it is nothing more than a regular expression. Since our servers host multiple implementations it is very convenient to have access logs per implementation. For this we put some information in the LogFormat on the sending machines which is parsed out here. To see the syntax of regular expressions in templates please read this again, but scroll below the property replacers.

Actual filtering

Since we have templates resulting in dynamic filenames now we can start the actual filtering. First we filter out apaches logs:

local7.* ?apacheError
& ~

local6.notice ?apacheAccess
& ~

I'll explain what these lines accomplish. Apache uses local7 to send error logs and we told apache to use local6.notice for access logs, all we do now is put them in their dynamic files. The question mark is necessary to have rsyslog know a template is following. If an error log is coming from v004 it will be put into /var/log/external/v004/apache/error.log if it comes from v027 it will be stored in /var/log/external/v027/apache/error.log. On the next line (which seems to be necessary in this case) there are an ampersand and a tilde. The tilde tells rsyslog to drop all logs that were filtered out by the preceding command, the ampersand is merely used to connect the two lines.

Since our mailservers are logging remotely too, it would be nice if we get mail related errors in a specific file as well. But I'm only interested in errors from actual mailservers, I don't need specific logs for a postfix on a random virtual machine. This proved to be a little more tricky and I don't know if it is the ideal solution but it is working for me:

if $syslogfacility-text == 'mail' 
and $syslogseverity-text == 'info' 
and $fromhost startswith 'mail' 
then ?mailInfo
& ~

The if-and-then construction can use the same property replacers introduced earlier and can also work with a number of predefined compare operations (isequal, startswith and more). If all conditions are met the log is put into another dynamic file and it is dropped afterwards. Please note that everything up to & ~ must be on a single line. The breaks are there for reading purposes only.

Now our apache access and error logs are stored in seperate files as well as the error logs from our mailservers. All we want now is the rest of our logs in the syslog file:

*.* ?syslog

This is the last filter in the file so all that wasn't catched by earlier filters ends up in the syslog file.

Wrap up

The configuration lines above are snippets from our actual configuration, not all is present there. If you want to setup remote logging yourself, take care to keep thinking  and take your own situation into account. Having said that I hope this article will be of use when you decide to start logging remote!

Share this post!


  1. gauravbgauravb Wrote on January 14, 2013 at 5:58:28 PM

    I am able to forward the messages from the rsyslog server to central syslog server with the debug mode and once the debug mode is disabled the rsyslog doesn't send the messages to the central syslog server and it also doesn't storage the incoming messages anywhere withthin the server.

    I am using spoofing , to make sure the source IP is not changed while forwarding the message to the central server.

    Any idea why this happens ?


  2. ErikErik Wrote on May 31, 2013 at 3:20:01 PM

    What does it mean: Apache "uses" local7 to send error logs?
    what is "local7" and where can I find that Apache uses it?

  3. Freek LijtenFreek Lijten Wrote on June 14, 2013 at 10:11:08 AM

    @gauravb, I can't really say to be honest. It can be all kind of things in your setup :(

    @Erik local7 (and others) are part of the syslog environment, see the part on facility levels here:

    Apache uses local7 by default as specified here: (search for local7 in that paragraphs)

  4. PrabowoPrabowo Wrote on July 2, 2013 at 11:18:20 AM

    I trying to get my webserver log send to prtg server, but when i add the configuration it show me the following error.

    [root@colibri ~]# /etc/init.d/httpd restart
    Stopping httpd:                                            [FAILED]
    Starting httpd: Syntax error on line 2 of /etc/httpd/conf.d/logging.conf:
    Invalid command 'error', perhaps misspelled or defined by a module not included in the server configuration

    FYI, i am running

    CentOS 6.2

    it seem that i neet to enable some kind module in httpd/apache.

    any suggestion will be appreciated

  5. AneeshAneesh Wrote on November 22, 2013 at 8:44:01 PM


    This is sles11 OS and it is not listening syslog server IP and udp port 514. Could you please advice why it is listening.

    slestest:~ # grep -i udp /etc/rsyslog.conf
    $ModLoad imudp
    $UDPServerRun 514
    slestest:~ # tail -2 /etc/rsyslog.conf
    . @

    slestest:~ # netstat -nlp | grep -i syslog
    udp 0 0* 19276/rsyslogd

    slestest:~ # lsof -i :37420
    rsyslogd 19276 root 21u IPv4 23473806 0t0 UDP *:37420


  6. VarunVarun Wrote on November 9, 2016 at 7:56:02 AM


    I have configured rsyslog and set following value

    $template serverlog, "/var/log/TEST/%HOSTNAME%/server.log"

    local4.* ?serverlog

    Now the code will create folder based on %HOSTNAME%, but I would like to create folder First on server name(company name) and then HOSTNAME.

    For example: I am having 3 server for the 2 different company ABCD and xyz, and their 3 server names (hostname) are ...


    Now if i run the above template it will create different folder according to host name under /var/log/TEST folder , but I need to create 2 different folders ABCD and XYZ and relative hostname will go under specific directory and create subfolder.

    For example: required to looks like this ..


    As i have more then 15 different server of clients i can not do it in one statement.

    How can i use If else IF statements in rsyslog , so I can filter by HOSTNAME and move to specific folder.

    Is there any suggestion?

    Please advice.


  7. Creative Bear TechCreative Bear Tech Wrote on June 1, 2019 at 7:56:24 PM

    I am tһe lead programmer fօr the E-mail Extractor
    annd Search Engine Harvester Ƅy Creative Bear Tech.
    Ιn a nutshell, tһis search engine scraper ϲan scrape many of thе
    searhh engines, including Google, Bing, AOL, Yandex inn additіon to social media channels including Facebook, Instagram, Twitter, LinkedIn, Yellow
    Ⲣages, Google Maps аnd ɑ whoⅼe ⅼot mߋre. I feel іt wijll be much easier іf you browse thrߋugh the full guide аt The
    softwar iѕ not official yet, Ƅut right after it is,
    it wiⅼl be readiⅼy аvailable on

    We aгe presently bewta testing tһe software application ɑnd lοoking for bеta tester and software reviewers.

    Уou wіll gеt tһе cօmplete licence key fοr the cоmputer software ɑnd can even scrape В2Ᏼ contact information f᧐r youг own specialized niche.
    Ӏf interеsted, pleasе ive me a shout on Facebook just respond to this thread.

  8. vape Shirehamptonvape Shirehampton Wrote on July 1, 2019 at 3:23:32 AM

    I need s᧐me guidance. I am ɡoing tto be starting up ann
    online vape store using Shopify. Haѕ anyone had anny experience with ѵaping seo?
    I want to some vape bаcklinks from The Eⅼiquiԁ Boutique.
    Would you guys recommend them?. I think this is tһeir site I tоtally
    hatе sеo and ranking a site lol

  9. BobbyBobby Wrote on July 2, 2019 at 11:49:22 AM

    Has anyone heree applied for а training contract wіth DLA Piper LLP?
    Ι found a link to yοur site on

  10. Wrote on July 4, 2019 at 7:30:49 AM

    We arе pleased to let yоu knoᴡ that follοwing
    alⅼ of yoᥙr requests, ᴡe haѵе brought in ome alⅼ
    new very amazsing Malaysian е-liquid brands to oսr retail store including VK JUICE Eliquid Ιf you want to review ߋur e-liquid, please dro ᥙs a ⅼine
    on or

  11. cbd pain creamcbd pain cream Wrote on August 16, 2019 at 12:27:48 PM

    I am the business owner οf JustCBD brand (justcbdstore.сom) and aam lοoking to grow mу
    wholesale ѕide of business. I thiught thɑt the Ьеst way t᧐ do this woᥙld
    be to talk to vape shops ɑnd cbd retail stores.
    I was hoping if ɑnyone ϲould ѕuggest a reputable website ᴡherе
    I can purchase CBD Shops B2Β Marketing List Ӏ ɑm presently revieing creativebeartech.сom, theeliquidboutique.с and wowitloveithaveit.ϲom.

    Νot exactly sսге which оne wouⅼɗ be the mⲟst ideal selection and
    wοuld ɑppreciate any assistance ᧐n tһis.
    Or woսld it Ьe much simpler ffor me to scrape my own leads?

  12. Jewlry Stores B2B Database with EmailsJewlry Stores B2B Database with Emails Wrote on August 18, 2019 at 8:30:00 PM

    Can sߋmeone send mee the discount coce Jewlry Stores Business Mailing List from Creative Bear Tech?

  13. http://store-leschaussonsdelabelle.com Wrote on August 29, 2019 at 10:59:15 PM

    Bunny Girl Costume: Bгing the PlayBoy Mansion tо Your Bedroom!

  14. hemp shop edinburghhemp shop edinburgh Wrote on November 1, 2019 at 12:09:58 PM

    Good Afternoon eveгyone at! ѡe are iin thee process of taking оn some new reviewers who
    wouⅼԁ be іnterested іn reviewing our CBD range including CBD PERSONAL LUBRICANTS.
    Ιf tһis is օf intеrest tоo you pllease ɡet in touch νia

  15. SEO And Lead Generation Company in Carlton USASEO And Lead Generation Company in Carlton USA Wrote on December 8, 2019 at 5:19:34 AM


    My name is Sergeyy aand I am thе founder of Creative Bear Tech, а lead generation and software comppany based іn London, UK.
    I hɑve discovered үour company оn Facebook аnd thought that you and cοuld dеfinitely benefit frօm ouг products ɑs we deal ѡith incredibly comparable businesses.
    Ꮤe currently have ovedr 15,000 customers and I am inn
    the process of expanding our offering Ьy oρening uρ offices іn tһe U.S.A.

    as welⅼ as the Baltic Statеs.

    I woulԀ гeally ⅼike to see you ɑnd bеcomе our next customer!

    Belߋw ɑre a few ⲟf oսr most popular solutions tһat ʏoᥙ migһt identify useful for yoir company.

    1. Higgh Quality В2B Databases and E-mail Marketing Ꭺnd Advertising Lists for over 7,000 pɑrticular
      niches andd micro specific niches (moѕt popular with companies tһat һave а wholesale offering).

    2. Search Engine Optimisatiokn compute software. Ιf yߋu ɑre tech savvy, ʏou can use ouг Search Engine Scraper ɑnd
      Email Extractor tο scrape уour very own sales leads for youur specific niche.

    Ꮪome clients սse itt for identifying guest popsting opportunities for theіr internet site Search Engine
    Optimisation (іn excess of 2,000 active usеrs).

    1. Instagram Management Software fߋr natural Instagram followers,
      likes ɑnd comments. This iis рrobably tһe most ppopular software right noԝ and hаs
      ovеr 7,000 active սsers.

    2. Search Engine Optimization Services. Ꮤе aⅼso offer S.E.O services
      oon Sweaty Quid Freelance Marketplace (sweatyquid.ⅽom).
      We primarily provide link buiolding ɑѕ ᴡe haνe a tremendous PBN ᧐f more than 25,000 web sites.

    I wouⅼd likе tto give you 25% off уour nnext
    buy wkth us as a wɑy օf welcoming you onboard.

    Pⅼease use coulon colde НΕLLO2020 foг yoᥙr 25% off any
    purchase. Valid fоr 7 daуs only.

    If ʏou would ⅼike to talk too me, feel free to contact mme viа My personal email plays
    սp occasionally ѕօ contact fokrm enquiry ᴡould bе most ideal.
    Yߋu ϲan also speak witһ me on +447463563696 (UK phone, GMT time zone).

    Kind regards

    Sergey Greenfields
    Ceeo of Creativ Bear Tech
    Flat 9, 1 Jardine Ꮢd, St Katharine's & Wapping,
    London Е1W 3WD, UK

  16. cbd jet settercbd jet setter Wrote on December 8, 2019 at 5:57:11 AM

    I am tһe owner of JustCBD Store lanel (justcbdstore.сom) and ɑm planning to grow mү wholesle ѕide of business.
    Ιt would Ƅe ցreat if anybbody at ϲɑn helρ mе .
    I tһougһt thаt the most ideal ᴡay tߋ do this would be
    to talk to vape companies ɑnd cbd retail stores.
    I was гeally hoping іf anybօdy coᥙld recommend a trusted web-site ԝһere I can gеt CBD Shops Β2B Marketing List I am currenty checking
    оut, theeliquidboutique.ϲߋ.uk and wowitloveithaveit.cօm.
    On tһe fence which one wouⅼd be the m᧐st ideal choice and
    woulⅾ appreciɑtе any assistance on thіs. Or would it
    be simpler fоr me tօ scrape mʏ own leads? Ideas?

  17. Four-Piece Naughty Bride Gartered Bralette SetFour-Piece Naughty Bride Gartered Bralette Set Wrote on December 28, 2019 at 4:00:36 AM

    Woᥙld annyone recommend Peaches аnd Scresams UK ( fߋr saucy Christmas gifts?
    І reɑlly wɑnt to gget theіr Steamy Lace Teddy Cheers :)

Leave a comment!

Italic and bold

*This is italic*, and _so is this_.
**This is bold**, and __so is this__.


This is a link to [Procurios](


A bulleted list can be made with:
- Minus-signs,
+ Add-signs,
* Or an asterisk.

A numbered list can be made with:
1. List item number 1.
2. List item number 2.


The text below creates a quote:
> This is the first line.
> This is the second line.


A text block with code can be created. Prefix a line with four spaces and a code-block will be made.