Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
Logs Configuration Advanced

Syslog Configuration and Log Management

Configure syslog, manage system logs, set up log rotation, and monitor VPS/Dedicated server logs. Learn rsyslog configuration and remote logging.

UnderHost NOC Network Operations
11 min read Updated June 2026
On this page

Syslog is the standard system logging facility on Linux and Unix servers. It collects messages from applications, daemons, and kernel, organizing them by facility (system type) and severity (critical to debug). Understanding syslog is essential for troubleshooting and security monitoring.

Log File Locations

Key system log files on Linux (usually in /var/log/):

Log FileContains
/var/log/syslog or /var/log/messagesGeneral system messages
/var/log/auth.logAuthentication attempts (login, sudo)
/var/log/kern.logKernel messages
/var/log/dmesgBoot messages and hardware info
/var/log/apache2/access.logApache web server access logs
/var/log/apache2/error.logApache errors
/var/log/nginx/access.logNginx access logs
/var/log/mysql/error.logMySQL/MariaDB errors

Configure rsyslog

rsyslog is the modern syslog daemon on most Linux distributions. Configuration files are in:

/etc/rsyslog.conf          # Main config
/etc/rsyslog.d/*.conf      # Additional configs (priority load order)

View current rsyslog configuration:

sudo rsyslogd -N1   # Check config for errors (no startup)

Restart rsyslog after changes:

sudo systemctl restart rsyslog

Syslog Severity Levels

Syslog uses 8 severity levels (0-7):

LevelNameDescription
0EMERGSystem unusable (panic)
1ALERTImmediate action required
2CRITCritical condition
3ERRError condition
4WARNINGWarning condition
5NOTICENormal but significant
6INFOInformational
7DEBUGDebug-level messages

Facilities categorize log sources:

  • kern - Kernel messages
  • auth - Authentication (login, sudo)
  • cron - Scheduled tasks
  • mail - Mail system
  • user - User-level messages
  • local0-local7 - Custom applications

Custom Logging Rules

Create a custom rsyslog rule file to direct logs:

sudo nano /etc/rsyslog.d/50-custom.conf

Example: Log all errors to a specific file:

# Capture all errors and critical messages
*.err;*.crit /var/log/critical-errors.log

# Separate authentication logs
auth,authpriv.* /var/log/auth-custom.log

# Custom application logging (uses local0 facility)
local0.* /var/log/myapp.log

Save, exit, and restart rsyslog:

sudo systemctl restart rsyslog

Remote Logging (Centralized Logs)

On the VPS sending logs, configure rsyslog to send to a remote server:

# In /etc/rsyslog.conf
# Send all messages to remote server on port 514 (UDP)
*.* @remote-server.com:514

# Or use TCP (more reliable):
*.* @@remote-server.com:514

Restart rsyslog:

sudo systemctl restart rsyslog

On the receiving server, enable network input:

# In /etc/rsyslog.conf, uncomment:
module(load="imudp")  # For UDP
input(type="imudp" port="514")

# Or for TCP:
module(load="imtcp")  # For TCP
input(type="imtcp" port="514")

View and Monitor Logs

View recent syslog entries:

# Last 20 lines of syslog
tail -20 /var/log/syslog

# Follow logs in real-time
tail -f /var/log/syslog

# View logs from last hour
journalctl --since "1 hour ago"

Search logs for specific messages:

# Find all SSH connection attempts
grep "sshd" /var/log/auth.log

# Find all errors in syslog
grep "error" /var/log/syslog -i

# View logs from last 30 minutes
journalctl --since "30 min ago"

Use logwatch to summarize logs daily:

apt install logwatch
sudo logwatch --detail High --range Today

Best Practices

  • Rotate logs regularly: Use logrotate to prevent disk space issues. See Log rotation guide
  • Archive old logs: Keep 30-90 days of logs for troubleshooting; archive or delete older ones
  • Monitor security logs: Watch auth.log for failed logins and suspicious activity
  • Set appropriate permissions: Use chmod 640 on sensitive logs; restrict access to root
  • Enable remote logging: For critical servers, send logs to a remote centralized logging server
  • Alert on critical messages: Use tools like rsyslog rules or logwatch to email alerts for critical errors
  • Keep timestamps accurate: Ensure NTP is configured so logs have correct time for correlation
Don't delete logs on active systems

Deleting log files can break rsyslog's file handles. If you must delete, restart rsyslog afterward: sudo systemctl restart rsyslog. Use logrotate instead for safe log rotation.

Related: Log rotation with logrotate | System monitoring | VPS security hardening

Was this article helpful?

Need server management?

Let UnderHost help with server hardening, updates, troubleshooting, monitoring, and ongoing Linux administration.

View Server Management CustomerPanel

Related articles

Back to Server Management