Post Image

Network Syslog Server

The importance of a syslog server to store all of your syslogs from network devices can not be understated from the obvious security benefits of having a copy of logs in a second location to having alerts setup to notify you of changes in real time. For an enterprise solution that has the log collection, reporting, and alerting facilities already setup I would advise choosing something like Splunk but if your IT department does not have the budget, or you do not need anything too fancy that you can't code some reports yourself then this is the post you are likely looking for.

In this post I will go through setting up a Linux server with rsyslogd to store log files. The log files will be stored in a file titled with the IP address the logs came from and the date they came in. This will contain all of the logs from a particular device on a particular day stored in one single file. Doing it this way I find that it is very easy to make some grep commands to parse the log files, build more advanced parsers in Python for pulling out the log files, and either way provides all the data you need regardless of the log that comes in from the device.



It is assumed that you have a Linux server with ssh installed on your network and all of the devices you need to collect syslogs can connect on TCP and/or UDP port 514 (syslog port)


Install rsyslogd

Most modern Linux machines should come with rsyslogd installed and running, if not you can install it with the following command

sudo apt install rsyslog


Configure rsyslogd

Regardless if you had to install it or not you will need to modify rsyslog's configuration in order to accept syslogs.

Inside of /etc/rsyslog.conf you will need to add the following lines of configuration BEFORE the last line $IncludeConfig /etc/rsyslog.d/*.conf

$template RemoteLogs,"/syslogs/network/%HOSTNAME%_%timereported:::date-month%-%timereported:::date-day%-%timereported:::date-year%.log"
*.*  ?RemoteLogs

The first line configures a template called RemoteLogs (read more on rsyslog templates here) and that template specifies the file path and naming structure of the log files for each network device.

The second line tells rsyslogd to apply that template to every host that sends a syslog.

The last line tells rsyslogd to stop processing configuration.

A more detailed explanation of the template string. Notice I am putting the files in /syslogs/network which is a separate drive on my system and then I use variables to specify the name of the file which is the the host name then and underscore then the month number, dash, day number, dash, and year number followed by .log

To help conceptualize this lets say a log comes in from a device with an IP address of on March 3rd 2025. That log file will be written to /syslogs/network/


At this point all you have to do is configure the devices you want to send logs FROM to send logs to your rsyslog servers IP address and you will see log files populating in your target directory, if you need a quick guide for setting up logging on Cisco devices check out my post here. The following day when a device sends a new log rsyslog will automatically create a new file for that host containing that days logs which auto rolls over the log file each day and you can cycle them out of the system with logrotate or a simple bash script on a cron job. In the context of network devices this is often not much of an issue as the log files are relatively small, however if you have systems that generate several hundred meg or several gigs of data in a day you may want to consider changing your naming structure to exclude the date and utilize logrotate to rotate the files based on size.


Comments (0)
Leave a Comment