Configure a Linux host as an rsyslog client that forwards local logs to a central receiver at
192.168.1.10:514 over UDP. Apply a catch-all forwarding rule, restart rsyslog, generate a test message, and verify
client-side processing evidence.
Your organization now has a central rsyslog server listening on 192.168.1.10:514. Your task is to configure this
host as an rsyslog client so local logs are forwarded to the central receiver.
Centralized logging only works if clients forward reliably. Your goal is to implement a simple, catch-all forwarding rule, apply it safely, and generate proof that messages are being handled by the logging pipeline.
*.*) to 192.168.1.10 over UDP
514.
logger.journalctl./etc/rsyslog.d/ to keep configuration modular and auditable.
*.* matches all facilities and severities (a catch-all rule).
@ in the action indicates UDP forwarding; a double @@ indicates TCP forwarding.
# Debian/Ubuntu
sudo apt update
sudo apt install -y rsyslog
# RHEL / Fedora / CentOS
sudo dnf install -y rsyslog
# or (older flows)
sudo yum install -y rsyslog
# Arch
sudo pacman -S rsyslog
The client must have rsyslog installed and running to forward system events to a remote receiver. On many distros, rsyslog is already present; installing ensures the unit and config paths exist.
# Example output (varies by distro):
# rsyslog installed successfully.
# Create a drop-in config for remote forwarding:
sudo nano /etc/rsyslog.d/remote.conf
# or
sudo vim /etc/rsyslog.d/remote.conf
Using a dedicated file under /etc/rsyslog.d/ keeps forwarding rules isolated and easier to audit. The selector
*.* matches all facilities and severities.
# /etc/rsyslog.d/remote.conf
*.* @192.168.1.10:514
The single @ indicates UDP forwarding. A double @@ typically indicates TCP forwarding.
sudo systemctl restart rsyslog
Restarting applies the new forwarding rule. If rsyslog fails to start, validate your rule syntax and inspect
systemctl status rsyslog.
# Quick verification:
systemctl status rsyslog --no-pager
logger -t remote-test "exit_0: rsyslog client forward test"
logger writes to the system logging pipeline. Using a unique tag makes it easy to identify the test message
locally and correlate with receipt on the central server.
# Expected outcome:
# Test log message generated with tag 'remote-test'.
sudo journalctl -u rsyslog -n 50 --no-pager | grep -i remote-test || true
This confirms rsyslog is running and processing events on the client. In a real environment, you would also validate receipt on the central server, but client-side evidence is your first checkpoint.
# Example output (varies):
Feb 11 10:22:41 clienthost remote-test[2457]: exit_0: rsyslog client forward test
This client is now forwarding logs to 192.168.1.10:514 via UDP.
# UDP is connectionless, but you can still sanity-check name/IP reachability:
ping -c 2 192.168.1.10
This is a basic connectivity check. True end-to-end validation still requires verifying the message appears on the receiver.
Validate /etc/rsyslog.d/remote.conf syntax and check systemctl status rsyslog plus
journalctl -u rsyslog for errors.
Make sure your logger command ran successfully and that you are grepping for the correct tag. Also try
journalctl -n 50 to confirm the event exists at all.
Confirm the receiver is listening on 514/udp, confirm firewall rules allow UDP 514, and confirm the client is
using @192.168.1.10:514 (UDP) rather than @@ (TCP).
If this forwarding rule is lab-only, remove the drop-in file and restart rsyslog.
# Remove forwarding rule
sudo rm -f /etc/rsyslog.d/remote.conf
# Apply removal
sudo systemctl restart rsyslog
apt install rsyslog: Install rsyslog on Debian/Ubuntu.
-y: assume “yes” to promptsdnf install rsyslog: Install rsyslog on RHEL-family systems.
-y: assume “yes” to promptspacman -S rsyslog: Install rsyslog on Arch.
/etc/rsyslog.d/: Drop-in directory for rsyslog rules.
*.* @192.168.1.10:514: Catch-all forwarding rule to a UDP receiver.
*.*: all facilities and severities@: UDP forwarding (TCP uses @@)systemctl restart rsyslog: Restart rsyslog to apply configuration changes.
logger -t remote-test "...": Emit a tagged test message into the logging pipeline.
-t: tag the message for easier filteringjournalctl -u rsyslog: View rsyslog unit logs via systemd-journald.
-n 50: last 50 lines--no-pager: print directly192.168.1.10:514: Central receiver address/port used in this lab scenario.