Setting rsyslog server pada ubuntu 18.04

Step by step :

1. Install rsyslog -y

   apt-get install rsyslog -y

2. Check service rsyslog sudah active

   systemctl status rsyslog

   Output

   ? rsyslog.service - System Logging Service
      Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
      Active: active (running) since Tue 2019-10-22 04:28:55 UTC; 1min 31s ago
        Docs: man:rsyslogd(8)
              
   RSyslog Documentation
   
    Main PID: 724 (rsyslogd)
       Tasks: 4 (limit: 1114)
      CGroup: /system.slice/rsyslog.service
              ??724 /usr/sbin/rsyslogd -n
   
   Oct 22 04:28:53 ubuntu1804 systemd[1]: Starting System Logging Service...
   Oct 22 04:28:54 ubuntu1804 rsyslogd[724]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.32.0]
   Oct 22 04:28:54 ubuntu1804 rsyslogd[724]: rsyslogd's groupid changed to 106
   Oct 22 04:28:54 ubuntu1804 rsyslogd[724]: rsyslogd's userid changed to 102
   Oct 22 04:28:54 ubuntu1804 rsyslogd[724]:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="724" x-info="http://www.rsyslog.com"] start
   Oct 22 04:28:55 ubuntu1804 systemd[1]: Started System Logging Service.

3. Konfigurasi rsyslog #nano /etc/rsyslog.conf
   

   $ModLoad imudp
   $UDPServerRun 514
   $ModLoad imtcp
   $InputTCPServerRun 514

   $AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, *.example.com
   $AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, *.example.com

   $template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 
   *.* ?remote-incoming-logs
   & ~

4. Check hasil konfigurasi jika ada systax error #rsyslogd -f /etc/rsyslog.conf -N1
   

   rsyslogd: version 8.32.0, config validation run (level 1), master config /etc/rsyslog.conf
   rsyslogd: End of config validation run. Bye.

5. Restart rsyslog

   systemctl restart rsyslog

6. Verifikasi rsyslog listen tcp/udp port

   netstat -4altunp | grep 514

   Output :

   tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      1332/rsyslogd       
   udp        0      0 0.0.0.0:514             0.0.0.0:*                           1332/rsyslogd

7. Konfigurasi Rsyslog client #nano /etc/rsyslog.conf
   

   ##Enable sending of logs over UDP add the following line:
   
   *.* @192.168.0.101:514
   
   
   ##Enable sending of logs over TCP add the following line:
   
   *.* @@192.168.0.101:514
   
   ##Set disk queue when rsyslog server will be down:
   
   $ActionQueueFileName queue
   $ActionQueueMaxDiskSpace 1g
   $ActionQueueSaveOnShutdown on
   $ActionQueueType LinkedList
   $ActionResumeRetryCount -1

8. restart rsyslog client

   systemtcl restart rsyslog

9. View client log

   ls /var/log/rsyslog-client/

   Output

   CRON.log  kernel.log  rsyslogd-2039.log  rsyslogd.log  sudo.log  wpa_supplicant.log