I recently discovered that my home router, a Netgear DG834G, is able to forward its log messages to a given syslog server. So, I thought: why not use my new shiny Raspberry Pi as a syslog server? The following post explains how to do it, using the rsyslog daemon.

Why rsyslogd instead of syslogd-ng?

For some reasons, all the guides I found on google explain how to setup a syslog-ng server on the Pi. I think that the proper question should be: why syslogd-ng instead of rsyslogd? The latter is already installed on Raspbian! See this answer for other reasons why you may want to prefer rsyslogd.

Prerequisites

This post assumes that your Pi is running Raspbian and that your router is able to run the Syslog protocol.

Step 1: enable port 514 on the Pi

Since the rsyslog daemon is already installed and running, you can just tell it to listen for syslog connections on the default port 514. This is as simple as uncommenting the following lines from /etc/rsyslog.conf :

$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514

Now your Pi will listen on port 514 for incoming syslog connections, using both the UDP and TCP protocols (some routers might only support one of the two).

Step 2: create your log file

You have to save somewhere on the Pi disk the logs that you are going to receive. You are supposed to save them in the /var/log directory, so just create a new file there, for instance:

$ sudo touch /var/log/netgear.log

Step 3: configurate your logs

Now you have to tell rsyslogd to use the file you just created. You can do it by creating a new configuration file in the /etc/rsyslog.d/ directory. Call this file as you wish (but you have to use the extension .conf) and put in it the following content (credits to this blog post):

$template NetworkLog, "/var/log/netgear.log"
:fromhost-ip, isequal, "192.168.0.1" -?NetworkLog
& ~

Just make sure to replace 192.168.0.1 with the IP of your router and netgear.log with the log file that you created in the previous step.

Note about newer versions of rsyslog

In recent versions of rsyslog, you may need to replace the deprecated ~ with stop, i.e. your configuration file will end with & stop instead of & ~.

Step 4: restart rsyslog

You are almost done. Just restart the rsyslog daemon with the following command:

$ sudo service rsyslog restart

Step 5: start the syslog protocol on your router

The final step is to enable the syslog protocol from the router side (that is the client side). This is different from router to router, so you should check your router’s documentation. For example, on my router I just need to provide the IP of the syslog server!

You should finally see the log entries of your router in your log file, as soon as something is logged by the router.

Step 6: configure logrotate

It’s a good idea to rotate your log file, especially if your router creates a lot of log entries. Just create a file in the /etc/logrotate.d/ directory (call it as you wish) with the following content:

/var/log/netgear.log {
        rotate 7
        size 500k
        notifempty
        compress
        postrotate
                invoke-rc.d rsyslog rotate > /dev/null
        endscript
}

Again, replace netgear.log with the name of your log file.

That’s it! Happy logging with your Pi.