In this fun tutorial we’re going learn how to setup a Raspberry Pi syslog server using a Raspberry Pi and some free open source packages.  It only takes a few minutes and it is incredibly useful!

Syslog is short for System Logging Protocol. This protocol is  used by computer systems to send local event logs to a central logging server.  In large enterprises there can be multiple syslog servers that all aggregate to a central servers. Syslog is very common in network devices like routers, firewalls, and switches. But most servers also support a syslog mechanism.

Setting up a Raspberry Pi Syslog Server

There are many types of Syslog servers available.  They include incredibly complex and paid systems such as LogLogic and Splunk. To just as complex free syslog systems like Graylog and Logstash.  But we want simple in this project!  So we’re going to use the simple and free rsyslog software.

Parts List for this Tutorial

Here’s a handy parts list for you if you don’t already have a Raspberry Pi.  These links cost you nothing, but we earn a tiny commission if you use them. Thank you so much for your support!

For this tutorial we used the Raspberry Pi 4 kit, but even an old Raspberry Pi gen 2 will work for this project.

Getting the Raspberry Pi Syslog Server Ready

Before we install the syslog server software, it is super important that we update the Raspberry Pi operating system to the latest version.  99% of the issues we see with people following our tutorials are outdated Raspbian.

To update Raspbian to the latest version, we need to run the following commands:

sudo apt update
sudo apt upgrade

Once your Raspberry Pi is up to date its time to install rsyslog and its only a single command.  If you get a message that it’s already installed, then your good! Some versions of Raspbian already include this package by default.

sudo apt install rsyslog

Configuring RSYSLOG on the Raspberry Pi

Next up in setting up our Raspberry Pi Syslog server is to configure rsyslog to accept logs from external computers, servers, or devices.  By default it will only accept local logs.

Most system expect syslog services to list on port 514.  We’re going to set ours up to use this port, but you can certainly pick any open port you prefer.  Let’s open the rsyslog configuration file “rsyslog.conf” for editing.

sudo nano /etc/rsyslog.conf

You need to search for four lines in this file and remove the # from the beginning of the line.  Lines with a # in front of them are “commented out”, and are ignored by rsyslog.

#module(load="imudp")
#input(type="imudp" port="514")

#module(load="imtcp")
#input(type="imtcp" port="514")

Simply put, those lines should look like this:

module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="514")

This enables rsyslog to start listening on both UDP and TCP ports 514 and accepting external.

To save the file press CTRL+X and then press Y followed by ENTER .

Setting up RSYSLOG Templates for Raspbian

In order to use our new rsyslog server we need to setup a template (at least one).  Templates tell rsyslog in which file to place the log data it receives and what format it will be in.

For this example we’re going to be collecting logs from our firewall. So we’re going to name our config file GeekPubFirewallLog.conf.  Within this file we will define our template and our log file location.

Run the following command:

 
sudo nano /etc/syslog.d/GeekPubFirewallLog.conf

To specify the template we need to use the following configuration line: $template NameForTemplate, “DirectoryWhereLogIs/logName.log.  In our case we’ll enter the following into the configuration:

$template GPFirewallLog, "/var/log/GPFirewall.log

We just need to add one more line of configuration in order to accept logs from our firewall.  In our example, the firewall would be at an IP address of 192.168.0.1.  Just swap out your IP address in the example.

if $fromhost-ip startswith "192.168.0.1" then -?GPFirewallLog
& stop

With those lines in place, rsyslog knows that any logs from 192.168.0.1 should use the GPFirewallLog template (and thus stored in /var/log/GPFirewall.log file.

Your GeekPubFirewallLog.conf file should look like this when you are complete:

$template GPFirewallLog, "/var/log/GPFirewall.log
if $fromhost-ip startswith "192.168.0.1" then -?GPFirewallLog 
&stop

Save the file by pressing CTRL+X and then press Y followed by ENTER .

Restart the RSYSLOG Service (or Reboot)

It’s now time to get your Raspberry Pi Syslog server running and using your new template. You can either reboot your Raspberry Pi with the following command:

sudo reboot

or just restart the rsyslog service with this command without restarting:

sudo systemctl restart rsyslog

Start Using your Raspberry Pi Syslog Server

We’re now ready to start using our Raspberry Pi Syslog server.  On our pfSense firewall we just need to tell it to send logs to the new server!

Under Status –> System Logs –> Settings we need to enter the IP address and port number of the Raspberry Pi Syslog server.  In our case that will be 192.168.0.10 and port 514 (that we chose above).

 

Log files will begin appearing immediately in our /var/log/GPFirewall.log file immediately!

Of course, you can send logs from any server or device that supports remote logging by configuring it to send logs to the IP/Port of your Raspberry Pi!

Getting Help

We try hard to answer any questions and help you get things working.  Leave a comment below and our team and awesome community will pitch in!