I'm trying to setup a syslog server but it doesn't appear to be working as intended. My client does not seem to be logging to it.
Server Ubuntu 12.04 (192.168.1.10)
Client Ubuntu 14.04 (192.168.1.26)
Server Config /etc/rsyslog.conf:
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
I did chown syslog:syslog on the /var/log directory and subdirectories.
Client Config /etc/rsyslog.conf:
Added this to the top of the conf file
*.* @192.168.1.10:514
Restarted rsyslog daemon on both hosts, however no logs seem to be populating on the server in /var/logs
Any thoughts on what I may be doing wrong?
Best Answer
In my case (Ubuntu 12.04) with a similar configuration directories were also not being created. Events were being logged into the existing files but without the hostname being tagged so it was not obvious that it was (almost) working.
I suggest:
verify that traffic is being received: On the server, try:
sudo tcpdump tcp port 514
Configure the client to send the correct hostname. Add this line to /etc/rsyslog.conf:
$LocalHostName [client]
Verify that log entries from [client] are appearing in [server] log files.
Your server config file defines a template named TmplAuth, but nothing is using it. Add this line immediately after it:
*.* ?TmplAuth
Of course, whenever you change a config file, you'll need to restart rsyslog on that machine.
After the above, my TmplAuth was being applied to all logs (including local): directories were created and a log file for each program generated. This isn't quite what I was after, but represents a big step forward. I'm now looking at changing the template instead of puzzling about why it wasn't working.