Enable remote syslog reception over UDP/514 using a safe rsyslog drop-in, validate syntax,
restart rsyslog, open the firewall, confirm the listener with ss, generate a test message with
logger, verify it lands in /var/log/messages, then create and test a dedicated
logrotate policy for /var/log/acmeapp.log.
A team needs this host to receive syslog over UDP/514 from a legacy device. You must enable
rsyslog UDP reception safely, allow it through the firewall, verify the listener, confirm logs arrive,
then set up logrotate for a custom application log.
Rsyslog config changes can break logging if you introduce syntax errors. Validate configuration with
rsyslogd -N1 before restarting the service.
imudp and listens on port 514.rsyslogd -N1.514/udp in firewalld permanently and reload.UDP/514 with ss.logger and confirm it lands in /var/log/messages./var/log/acmeapp.log.logrotate -d./etc/rsyslog.d.
rsyslogd -N1.
ss.
-d.
sudo vi /etc/rsyslog.d/10-udp514.conf
Create a dedicated file under /etc/rsyslog.d so the change is isolated and easy to revert.
Add the two lines below.
module(load="imudp")
input(type="imudp" port="514")sudo rsyslogd -N1This catches syntax issues before you restart the daemon.
rsyslogd: version 8.2310.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.sudo systemctl restart rsyslogRestart after validation so you do not take down logging with a broken config.
sudo firewall-cmd --permanent --add-port=514/udpsuccesssudo firewall-cmd --reloadsuccessPermanent changes do nothing until you reload (or restart) firewalld. Always apply and then verify.
ss -lunp | grep ':514 '
You want to see an UNCONN UDP socket bound to 0.0.0.0:514 owned by rsyslog.
UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=1019,fd=7))logger -p local0.notice 'test: UDP syslog receiving enabled'This creates a clean, timestamped event you can immediately verify in the logs.
/var/log/messages.
sudo tail -n 8 /var/log/messagesLook for the listener acquisition line and your test message.
Jan 25 07:14:21 lab139 rsyslogd[1019]: imudp: Acquired UDP socket, server will listen on port 514.
Jan 25 07:14:33 lab139 lab[pts/0]: test: UDP syslog receiving enabled/var/log/acmeapp.log.
sudo vi /etc/logrotate.d/acmeapp
Use a dedicated policy file under /etc/logrotate.d so the application’s rotation rules are explicit and reviewable.
/var/log/acmeapp.log {
daily
rotate 7
compress
missingok
notifempty
create 0640 root root
}sudo logrotate -d /etc/logrotate.d/acmeappDebug mode shows what logrotate would do without making changes. This is the safe way to validate a new policy.
reading config file /etc/logrotate.d/acmeapp
Reading state from file: /var/lib/logrotate/logrotate.status
Handling 1 logs
rotating pattern: /var/log/acmeapp.log after 1 days (7 rotations)
empty log files are not rotated, old logs are removed
consider log /var/log/acmeapp.log
log does not exist -- skipping
“log does not exist -- skipping” is fine here. It proves the policy parsed correctly and would rotate the file once it exists.
If systemctl restart rsyslog fails, re-run rsyslogd -N1, then check journalctl -u rsyslog for the exact parsing error and file/line location.
If ss -lunp does not show :514, confirm your drop-in is readable and that your lines match exactly. Restart rsyslog after fixes, then re-check the socket.
Confirm the sender is targeting this host and that upstream network ACLs allow UDP/514. On the receiver, verify you are looking at the correct log file and confirm messages are being ingested with a fresh logger event.
A debug run will skip rotation if the file does not exist or is empty. Create the log file and add a few lines, then re-run logrotate -d to confirm the rotation logic.
If this was a temporary test, remove the UDP drop-in and close the firewall port after you are done. In a real request, leave the configuration in place and document your verification output.
sudo rsyslogd -N1
sudo systemctl status rsyslog --no-pager
ss -lunp | grep ':514 '
sudo firewall-cmd --list-ports
sudo tail -n 15 /var/log/messages
ss shows rsyslog bound on UDP/514, your logger event appears in /var/log/messages, and logrotate parses your policy cleanly in debug mode.
/etc/rsyslog.d/10-udp514.conf: rsyslog drop-in for UDP reception.
module(load="imudp"): loads the UDP input module.input(type="imudp" port="514"): binds rsyslog to UDP/514.rsyslogd -N1: validate rsyslog configuration syntax safely.
-N1: runs a level-1 config validation (no daemon start).systemctl restart rsyslog: apply config changes.firewall-cmd --permanent --add-port=514/udp: open UDP/514 persistently.
--permanent: writes change to the active zone configuration.--add-port=PORT/PROTO: adds an explicit port/protocol allowance.firewall-cmd --reload: apply permanent firewall rules.ss -lunp: verify UDP listener and owning process.
-l: show listening sockets.-u: show UDP sockets.-n: do not resolve names.-p: show process info.logger -p FACILITY.PRIORITY: generate a test syslog event.
-p: sets facility and priority (example: local0.notice).tail -n N /var/log/messages: confirm the logging pipeline./etc/logrotate.d/acmeapp: per-app logrotate policy file.logrotate -d FILE: debug a policy without changing files.
-d: debug (dry-run) mode.