Setting up your Raspberry Pi as a Syslog Server

Emmet Avatar by Emmet
Updated
Beginner IoT Network

This Raspberry Pi project will show you how you can utilize your Raspberry Pi as a syslog server.

Raspberry Pi syslog Server

Syslog is a protocol used by various computer systems to send logs back to a central syslog server.

It is commonly implemented in devices such as a network router, allowing you to log to devices such as your Raspberry Pi.

Setting your Raspberry Pi to accept syslog messages is a very straightforward task.

To achieve this, we will be utilizing the open-source and free rsyslog software.

Equipment

Below is a list of the equipment we used to set up our Raspberry Pi as a syslog server.

Recommended

Optional

We tested this tutorial on the Raspberry Pi 400 using the latest release of the Buster version of Raspberry Pi.

Preparing your Raspberry Pi to be a Syslog Server

Before we get too far ahead of ourselves, let us do some necessary preparatory work to set our Raspberry pi up as a syslog server.

While preparing your Raspberry Pi, you should also configure it to use a static IP address.

1. We should always start by updating our operating system.

This ensures when we set up the syslog server software on our Raspberry Pi, we have an updated base to work off.

Run the following two commands on your system to update the package list and any installed packages.

sudo apt update
sudo apt full-upgrade

2. The rsyslog package that we will be using should be installed if you are using Raspberry Pi OS.

However, just in case the software isn’t currently installed, use the following command to install it.

sudo apt install rsyslog

Configuring Rsyslog to act as a Server

Now that the Raspberry Pi has been prepped, we can finally reconfigure the Rsyslog software to act as a syslog server.

Enabling Syslog to Allow Outside Messages

We need to modify our Raspberry Pi’s syslog config so that it will listen for messages on port “514“.

1. By default, Rsyslog is not configured on your Raspberry Pi to listen for any syslog messages.

To change this behavior, we need to make changes to the software’s configuration file.

Begin editing the config file using the nano text editor by running the following command.

sudo nano /etc/rsyslog.conf

2. Within this file, you need to find and uncomment the following lines.

You can uncomment the lines by removing the hashtag (#) in front of them.

You need to remove the hashtag from the following lines.

#module(load="imudp")
#input(type="imudp" port="514")

#module(load="imtcp")
#input(type="imtcp" port="514")

Once done these lines should end up looking like the following.

module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="514")

By doing this, we are reconfiguring the rsyslog software to allow syslog messages via both the UDP and TCP protocols to our Raspberry Pi.

3. We can save the file by pressing CTRL + X, followed by Y, then the ENTER key.

Creating a New Template

Now that our Raspberry Pi’s syslog server is configured to accept outside messages, we need to create a template.

This template will tell syslog where to route the messages it’s receiving. For this, you will need to know your device’s IP address.

1. Next, we need to create a config file within the “/etc/rsyslog.d” directory. Any config file we write within this directory will be read automatically be rsyslog when we restart it.

Within this file, we will define a new template. Additionally, we will also need to specify some configuration to route syslog messages to our new log file.

For this example, we will call this file “pimylifeupRouterLog.conf“. You can give this file any name you want, but it must end in “.conf“.

sudo nano /etc/rsyslog.d/pimylifeupRouterLog.conf

2. Within this file, we will need to enter some new lines.

The first thing we are going to do is define a new template.

A template utilizes the following format and tells the syslog server where to save the logs to.

$template NameForTemplate, "DirectoryWhereLogIs/logName.log

For our file, we will be giving this template the name “routerlog” with the log file to be stored at “/var/log/router.log“.

$template routerlog, "/var/log/router.log"

3. To route the syslog messages to our new template, we need to do some extra configuration.

For this, we are going to utilize the following lines.

You will need to swap out “IPADDRESSTOUSE” with the IP of the device you are expecting to receive the syslog messages from.

Additionally, you will need to also swap out “templatename” with the name you specified in the previous step.

if $fromhost-ip startswith "IPADDRESSTOUSE" then -?templatename
& stop

In our case, we will use the IP address “192.168.0.1” and the template name “routerlog“.

if $fromhost-ip startswith "192.168.0.1" then -?routerlog
& stop

4. Once you are done, the file should end up looking like something we have below.

$template routerlog, "/var/log/router.log"

if $fromhost-ip startswith "192.168.0.1" then -?routerlog
& stop

You can save the file by pressing CTRL + X, then Y, followed by the ENTER key.

Restarting rsylog on your Raspberry Pi

Now that we have configured our Raspberry Pi’s syslog server to receive outside messages, we need to restart it.

We need to restart the service so that it reads in all of our configuration changes.

Restarting the service is as straightforward as using the following command in the terminal.

sudo systemctl restart rsyslog

Conclusion

At this point, you should now have successfully set up your Raspberry Pi as a syslog server.

All you need to do now is enable the syslog protocol on the device you are using and point it towards your Raspberry Pi’s IP.

The Raspberry Pi will start receiving the log messages from the device and start saving them to the log file you specified for that template.

If you are having any issues with getting this to work, please leave a comment below.

Also, check out some of our other Raspberry Pi server or IoT projects.

Recommended

Steam Deck GeForce NOWHow to use GeForce Now on the Steam Deck
Raspberry Pi Node-RED InstallationInstalling Node-Red on a Raspberry Pi
PHP count functionUsing the count() Function in PHP
PHP array is emptyHow to Check an Array Is Empty in PHP
Raspberry Pi ParsecSetting up Parsec on the Raspberry Pi
Raspberry Pi UFWUsing the UFW Firewall on the Raspberry Pi

3 Comments

  1. Avatar for ADAM
    ADAM on

    One thing isn’t clear in these instructions. It states that we can name the config anything we want (ie pimylifeupRouterLog.conf), but when we restart the deamon what is going to make it read that file? There is another default file in the folder already. What will make it read my new one or does it read every conf file in the folder?

    Reply
    1. Avatar for Emmet
      Emmet on
      Editor

      Hi Adam,

      The rsyslog software will read every config file that is saved in to the “/etc/rsyslog.d/” directory. You don’t have to configure anything to get it to read this config file.

      I’ll update the guide to give a brief explanation of this behaviour.

      Kind regards,
      Emmet

  2. Avatar for Dariusz
    Dariusz on

    Thanks for the tutorial!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *