technical:remote_syslog_setup

This is an old revision of the document!

I have been working on a simple SYSLOG project to gather scanning data off of host around the internet and centralize it. The no telling what I will do with the data at that point. Its a project I thought of a while back and I nicknamed it TopTalkers. Basically this is the setup I am going for, very simple a remote syslog server with two host sending it traffic.

I would grow the idea from there with more host and then I wanted to write the session data to a PostgresDB. Kind of a poor mans SEIM or a smart mans method of not paying Cisco for Splunk or Microsoft for Sentinel.

I had worked on a project like this a couple of years/versions of Debian ago and it was always a debate between rsyslog and syslog-ng. After setting up the three servers I logged into the syslog01 server and went into /var/log/ and things looked different. First off there was a README file in the directory!

I am going to move the sidebar conversation to the blog instead of taking up this whole technical discussion with journald vs syslog debate. 

root@syslog01:/var/log# ls 
README		  cloud-init-output.log     exim4    runit
alternatives.log  cloud-init.log	    journal  unattended-upgrades
apt		  dpkg.log		    lastlog  wtmp
btmp		  droplet-agent.update.log  private

Well it looks like a lot of things have changed in the logging world since Debian 9. I know people have had their political arguments over time but looks like systemd has finally taken over logging as well. I have never really had a dog in the fight and just kind of took to systemd as it took over the Linux world. Here is the README content. 

root@syslog01:/var/log# less README
You are looking for the traditional text log files in /var/log, and they are
gone?

Here's an explanation on what's going on:

You are running a systemd-based OS where traditional syslog has been replaced
with the Journal. The journal stores the same (and more) information as classic
syslog. To make use of the journal and access the collected log data simply
invoke "journalctl", which will output the logs in the identical text-based
format the syslog files in /var/log used to be. For further details, please
refer to journalctl(1).

Alternatively, consider installing one of the traditional syslog
implementations available for your distribution, which will generate the
classic log files for you. Syslog implementations such as syslog-ng or rsyslog
may be installed side-by-side with the journal and will continue to function
the way they always did.

Thank you!

Further reading:
        man:journalctl(1)
        man:systemd-journald.service(8)
        man:journald.conf(5)
        https://0pointer.de/blog/projects/the-journal.html
README (END)

Now after some reading I believe I will keep using rsyslog or syslog-ng (the debate will rage on during this project). I think some users have legit concerns with corruption and journald.

  • technical/remote_syslog_setup.1748996223.txt.gz
  • Last modified: 2025/06/04 00:17
  • by super_stunder