Configuring Secure UDP and TCP syslog server

Last Updated : Sep 29, 2025 |

Procedure

  1. Enable syslog reception:
    1. To edit the rsyslog.conf file, open /etc/rsyslog.conf with a text editor (For example, vi or nano) and run the following command: 
      sudo vi /etc/rsyslog.conf
    2. To uncomment UDP module, locate and uncomment the lines that load the UDP input modules and define their respective ports (typically 514) and run the following command: 
      module(load="imudp")
input(type="imudp" port="514")
    3. To uncomment TCP module, locate and uncomment the lines that load the TCP input modules and define their respective ports (typically 514) and run the following command: 
      module(load="imtcp")
input(type="imtcp" port="514"
  2. Optional Configure log storage.
    1. To define a template for remote logs, add a template to organize logs from different hosts into separate files or directories. For example, to store logs for each host in /var/log/syslog/, run the following command: 
      $template PerHostLog,"/var/log/syslog/%HOSTNAME%.log"
    2. To route logs based on criteria, add rules to direct logs to specific files based on their source IP address, facility, or priority. For example, to use the PerHostLog template for all incoming logs: 
          *.* action(type="omfile" template="PerHostLog")
    3. To route logs based on the sending host IP, run the following command: 
       if $fromhost-ip startswith '192.' then {
        action(type="omfile" template="PerHostLog")
        stop
    }
  3. Configure firewall and SELinux.
    1. To open syslog ports in the firewall, activate the firewall (For example, firewalld), allow incoming traffic on UDP port 514. 
      sudo firewall-cmd --add-port=514/udp --permanent
sudo firewall-cmd --reload
    2. To open syslog ports in the firewall, activate the firewall (For example, firewalld), allow incoming traffic on TCP port 514. 
      sudo firewall-cmd --add-port=514/tcp --permanent
sudo firewall-cmd --reload
    3. If SELinux is in enforcing mode, ensure it allows rsyslog to receive logs on UDP port 514. 
      sudo semanage port -a -t syslogd_port_t -p udp 514
    4. If SELinux is in enforcing mode, ensure it allows rsyslog to receive logs on TCP port 514. 
      sudo semanage port -a -t syslogd_port_t -p tcp 514
  4. Restart rsyslog service:
    1. After making changes to rsyslog.conf, restart the rsyslog service for the changes to take effect. 
      sudo systemctl restart rsyslog
  5. To check listening ports, confirm rsyslog is listening on port 514 using ss or netstat. 
    sudo ss -tulnp | grep 514