What is a syslog host?

System logs may help to clarify what could be causing an error on your network. Network equipment usually has limited memory, so those logs are frequently rotated in order to conserve memory which may result in lost information when reviewing an issue. A syslog host allows you to ship the logs from the device to a remote server, hosted on-premises or in the cloud (or your own infrastructure!). This enables you to store them indefinitely, and simplifies log review as well as offering tools for searching and filtering.

Enabling syslog host

Our management software allows you to define a syslog host for this purpose.

1. Navigate to the main site Settings
2. Click the System tab
3. Scroll down and expand the Advanced section
4. Next to the Syslog Host label, input the IP address or hostname of your remote syslog server
5. It will save automatically and begin shipping logs to the server

Setting up a syslog host

The easiest option is rsyslog which can be activated on a standard Ubuntu server. Install any recent version of Ubuntu, though the LTS version 24.04 is recommended.

Create /etc/rsyslog.d/10-local.conf

Input the following lines to enable logs to be received over TCP/UDP port 514.

module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")

$template PerHostLog,"/var/log/remote/%fromhost-ip%.log"
if $fromhost-ip != '127.0.0.1' then -?PerHostLog
& ~

You may prefer to change the $template line for the logs to be further organized by giving each host a dedicated directory.

$template PerHostLog,"/var/log/remote-syslog/%fromhost-ip%/syslog"

Restart the rsyslog service

service rsyslog restart

Rotating logs

As noted above, our devices rotate logs periodically to prevent filling up the disk. Full disks can result in catastrophic downtime, depending on which disk is filled up; the disk storing the root filesystem is especially vulnerable to failure this way.

Create /etc/logrotate.d/remote-syslogs

Input the following configuration to enable compression and log rotation. This will greatly reduce storage pressure on your disk.

/var/log/remote/*.log {
 weekly
 rotate 52
 compress
 compresscmd /bin/xz
 uncompresscmd /bin/unxz
 compressext .xz
 compressoptions -9
 missingok
 notifempty
 copytruncate
 create 0640 root adm
}

If you set the $template above to organize logs into one directory per host, change /var/log/remote/*.log to /var/log/remote/*/syslog as well.

Other options

While Ubuntu with rsyslog is a great choice with easy initial setup, you may wish for a more fully-featured alternative. Consider checking out Graylog and LibreNMS for free self-hosted options which can be quickly scaffolded with Docker (including Docker Desktop), or tftpd64 for a Windows-based solution that you could install on your laptop.

tftpd64

Use Tftpd64_SE-4.64-setup.exe (or later) to install the service edition of it.

During installation, feel free to check both start service options.

1. Launch TFTPD64
2. Click Settings at the bottom
3. Click the TFTP tab
4. Click Browse
5. Expand This PC.
6. Select the C: drive
7. Click Make New Folder
8. Call it syslog, and click OK
9. Go to the SYSLOG tab
10. Check Save syslog messages
11. Make sure the full path is there C:\syslog-temp\syslog.txt
12. Click OK