Configure a Linux host as a central logging server using rsyslog. Enable UDP syslog ingestion on port 514, restart safely, and verify the UDP listener is active.
You need to configure a Linux machine as a central logging receiver using rsyslog. The system must accept inbound syslog messages over UDP port 514 so other hosts can forward logs to it.
Central logging is baseline infrastructure. Before you tune retention, filtering, or upstream forwarding, you first need a reliable receiver and proof that it is bound to the expected transport and port.
imudp input module and binding port 514.
514.LISTEN state; validate by confirming a UDP bind to :514.
# Debian/Ubuntu
sudo apt update
sudo apt install -y rsyslog
# RHEL / Fedora / CentOS
sudo dnf install -y rsyslog
# or (older flows)
sudo yum install -y rsyslog
# Arch
sudo pacman -S rsyslogInstalling rsyslog provides the daemon, default configuration, and systemd unit needed for local log processing and remote reception.
# Example result (varies by distro):
# rsyslog installed successfully.# Open the main config with your editor:
sudo nano /etc/rsyslog.conf
# or
sudo vim /etc/rsyslog.conf
To accept remote syslog messages over UDP, rsyslog must load the UDP input module and define an input listener on port
514. In many default configs, these lines exist but are commented out.
# Ensure these lines exist and are NOT commented:
module(load="imudp")
input(type="imudp" port="514")sudo systemctl restart rsyslogRestarting reloads the configuration and activates the UDP input. If rsyslog fails to start, inspect service status and logs for syntax errors.
# Quick verification:
systemctl status rsyslog --no-pagersudo ss -lunp | grep -E ':\b514\b' || true
This is the network-level proof that the host is ready to receive inbound syslog traffic over UDP 514. You may
see both IPv4 and IPv6 binds.
# Example output (varies):
UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=1234,fd=5))
UNCONN 0 0 [::]:514 [::]:* users:(("rsyslogd",pid=1234,fd=6))logger -n 127.0.0.1 -P 514 -d "exit_0: rsyslog UDP receiver test"This confirms the end-to-end path: a syslog client sends a UDP message to the receiver. Then check your system logs to confirm the message was ingested.
# One common place to confirm (varies by distro):
sudo tail -n 50 /var/log/messages
# or
sudo tail -n 50 /var/log/syslog
Confirm the imudp lines are present and uncommented, then restart rsyslog. Verify you are checking UDP sockets
(use ss -lunp, not TCP).
Check systemctl status rsyslog and journalctl -u rsyslog. Config syntax errors are the most common
cause after edits.
Log file paths vary by distro. Check /var/log/syslog (Debian/Ubuntu) or /var/log/messages
(RHEL-family) and also consider journalctl.
If this is a lab-only receiver, disable the service when you’re done. Remove packages only if you don’t need rsyslog installed.
# Stop/disable
sudo systemctl disable --now rsyslog
# Optional: remove package (choose your distro)
# Debian/Ubuntu
# sudo apt remove -y rsyslog
# RHEL-family
# sudo dnf remove -y rsyslog
# Arch
# sudo pacman -R rsyslogapt install rsyslog: Install rsyslog on Debian/Ubuntu.
-y: assume “yes” to promptsdnf install rsyslog: Install rsyslog on RHEL-family systems.
-y: assume “yes” to promptspacman -S rsyslog: Install rsyslog on Arch.
/etc/rsyslog.conf: Primary rsyslog configuration file on many distros.
module(load="imudp"): Load the rsyslog UDP input module.
input(type="imudp" port="514"): Bind rsyslog UDP input to port 514.
systemctl restart rsyslog: Restart rsyslog to apply configuration changes.
journalctl -u rsyslog: View rsyslog logs from systemd.
-n 50: last 50 lines--no-pager: print directlyss -lunp: Show bound UDP sockets and owning processes.
-l: listening/bound sockets-u: UDP sockets-n: numeric output-p: process infologger -n 127.0.0.1 -P 514 -d "...": Send a syslog message to a remote host/port over UDP.
-n: target host-P: target port-d: UDP (datagram)514/udp: Default syslog UDP port for remote reception.