Syslog – How to Receive Syslog Logs from a Networked System

loggingserversyslog

I'd like to configure Ubuntu to receive logs from a DD-WRT router. The router's configuration screen contains the following section:

DD-WRT System Log

and its logging documentation reads:

If you wish to send logs to a remote system, enter the IP address of
that machine which is also running a syslog utility (it needs an open
network socket in order to accept logs being sent by the router).

I've never (knowingly) used syslog before. What do I need to do in Ubuntu to allow it to receive these logs?

Best Answer

The host receiving the logs will need to be running some syslog daemon that is configured to listen for remote logs. There are a number of syslog implementations in Ubuntu, but rsyslog is typically recommended, and should be installed by default. I can't tell from the documentation in the link you posted if DD-WRT is sending logs via TCP or UDP, so it may require some experimentation to find precisely the correct settings, if you are concerned about reducing the number of network-accessible ports on your host.

There are two ways to enable this: the first is simpler, but may require re-integration when the system is upgraded. The second is slightly more complicated, and may cause confusing results if there are significant changes to the syslog configuration as part of an update. I would choose the second, but your preference may vary.

The first is to edit /etc/rsyslogd.conf, and remove the initial # from the following lines:

#$ModLoad imudp
#$UDPServerRun 514

or

#$ModLoad imtcp
#$InputTCPServerRun 514

The second is to create a new file, perhaps named local-enable-tcp.conf in /etc/rsyslog.d/, with the following contents:

# enable TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

If you want to use the separate file approach, and need UDP, change the contents to match the UDP stanza above. The specific filename is not important, but it is recommended to start it with "local-" as this namespace is reserved for local administrator configuration, and it must end with ".conf", as only files ending like this are automatically included in the rsyslog configuration.

If you would prefer to use another syslog implementation, check the configuration and documentation for that implementation: it is likely that the syslog daemon is configured not to listen on the network by default, but example configuration to enable this common case ought be clearly documented.