Oracle Cloud VPS: Rsyslog Centralized Log Server

RSYSLOG is a rocket-fast system for log processing.
It can act as a centralized point to collect syslog from multiple servers or network devices.

1. Install rsyslog and others useful packages.

sudo apt-get install rsyslog logrotate dnsutils wget nano cron

2. On your server, setup /etc/rsyslog.d/remotelog.conf to receive remote logging via UDP/TCP connection.

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# rsyslog template for incoming remote logging
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs$
#& stop

3. Restart rsyslog service.

sudo systemctl restart rsyslog

4. Configure iptables firewall (/etc/iptables/rules.v4) to allow the rsyslog UDP/TCP connection.

-A INPUT -p udp --dport 514 -j ACCEPT

5. Configure Oracle Cloud's VCN to allow UDP/TCP port too.

6. In your client, install rsyslog package and setup /etc/rsyslog.d/remotelog.conf to send log to remote server via UDP/TCP connection.

#replace IP with your rsyslog centralized server
*.* @xxx.xxx.xxx.xxx:514 #UDP syslog transmission
#*.* @@xxx.xxx.xxx.xxx:514 #TCP syslog transmission

7. Monitor /var/log/syslog for incoming logs.

8. Create /etc/logrotate.d/rsyslog-remotelog to housekeep your remote log. I modify it from the default /etc/logrotate.d/rsyslog. Configure it based on your own requirement.

/var/log/pihole/*.log
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

9. Restart logrotate service with the new settings.

sudo systemctl restart logrotate