Prerequisites
To forward syslogs from Debian to LogCentral and benefit from our cloud based log storage, you'll need:
An active LogCentral location which will provide you with the IP & port to which you need to forward your syslogs. Don't forget to configure your own IP address(es) in your location.
A Debian System: Ensure you have a Debian-based system with root or sudo privileges.
We have a video up showing the different steps, which is nice because it is visual but written instructions below will help you eventually copy-paste commands. Don't forget to adapt them to you environment.
As a reminder, in your Location details, you'll see informations like the public IP & port of LogCentral where you need to send your syslogs :
You a
Step 1: Install Rsyslog
Debian typically comes with rsyslog pre-installed. To verify its installation or install it if necessary:
Update Package Lists:
sudo apt-get update
Install Rsyslog:
sudo apt-get install rsyslog -y
Verify Rsyslog Status:
sudo systemctl status rsyslog
Ensure the service is active and running.
Step 2: Configure Rsyslog to Forward Logs
Edit the Rsyslog Configuration File:
Open the main configuration file using a text editor:
sudo nano /etc/rsyslog.conf
Set Up Log Forwarding:
At the end of the file, add the following lines to forward all logs to the remote syslog server but adapt them
For UDP Transmission:
*.* @remote-syslog-server-ip:514
Replace the log server IP and port by the configuration given in your LogCentral Location.
For TCP Transmission:
*.* @@remote-syslog-server-ip:514
Replace remote-syslog-server-ip with the actual IP address or hostname of your LogCentral syslog server. The single @ symbol denotes UDP, while the double @@ symbols denote TCP.
Configure Disk Queue for Reliable Forwarding (Optional):
To ensure log messages are not lost if the remote server becomes temporarily unavailable, add the following lines:
$ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
These settings configure a disk-assisted memory queue that stores messages until they are successfully sent.
Save and Close the Configuration File:
Press CTRL+O to save and CTRL+X to exit.
Step 3: Restart Rsyslog Service
To apply the changes made:
sudo systemctl restart rsyslog
Step 4: Configure Firewall (If Applicable)
If a firewall is active on your system, ensure that it allows outbound traffic on the port used for syslog (default is 514 but you need to adapt this to your LogCentral's location dedicated port). For systems using UFW (Uncomplicated Firewall):
Allow UDP Traffic on Port 514:
sudo ufw allow 514/udp
Allow TCP Traffic on Port 514 (If using TCP):
sudo ufw allow 514/tcp
Reload UFW to Apply Changes:
sudo ufw reload
Step 5: Verify Log Forwarding
To confirm that logs are being forwarded:
Generate a Test Log Entry:
logger "Test log entry for remote syslog server"
Check Logs in your LogCentral Location:
Verify the presence of the test log entry in the log file and / or in the Live Logs.
By following these steps, your Debian system should now be configured to forward its syslogs to your LogCentral organization., facilitating centralized log management and analysis.