Supporting centralized logging efforts by setting up a Centralized Rsyslog system on Linux within an AWS EC2 environment.

Managing logs manually across multiple servers is a headache. Centralizing logs with rsyslog simplifies monitoring, improves troubleshooting, and preserves historical data for compliance.

At least two Linux machines (can be mixed distros):

• Server: The central log collector

• Client: The machine sending logs

• Step 1: Install and Enable rsyslog

  On Both Server & Client:

    rsyslogd -v       # Check version
    sudo systemctl start rsyslog
    sudo systemctl enable rsyslog
  

  Ensure it's running:

    systemctl status rsyslog
  

  Step 2: Configure the Central Server

  1. Find its private IP:

      hostname -I
     

  2. Edit “/etc/rsyslog.conf “ to listen on TCP port 514:

     
      module(load="imtcp")
      input(type="imtcp" port="514")
     

  3. Define a storage template so logs are organized by sender:

      bashCopyEdit$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
      *.* ?RemoteLogs
      & ~
     

     This creates directories like /var/log/<ip>/sshd.log

  4. Restart rsyslog:

      sudo systemctl restart rsyslog
     

5. Open port 514 in the security group

• Step 3: Configure the Client

  On each client:

  1. Edit or create /etc/rsyslog.d/50-forward.conf

      *.* @@<server_ip>:514
     

     @@ ensures logs are sent via TCP to port 514
     one @ to do UDP

  2. Restart rsyslog:

      sudo systemctl restart rsyslog
     

---

Step 4: Validate the Setup

On the server, verify logs are stored per client in :

    tail -f /var/log/<client_hostname>/

• client hostname = private IP

• optional = if we wanna change the hostname for better veiwing with

• hostnamectl set-hostname “(name) “

• with logger testing the out put in server will be like this:

•