We will use rsyslog and not syslogng, as rsyslog is very common and its turned on, in most of the distributions.

<aside> 💡 If you are changing the .config file make sure to restart the syslog server, otherwise it will not pick up the changes.

service rsyslog restart

</aside>

Syslog

<aside> 💡 Send syslog via TCP.

</aside>

Port: 514 (Syslog + CEF)

Works on both TCP & UDP

By default syslog uses UDP. As UDP is connectionless its not gonna verify whether the packet made it to the target you know syslog collector. You don’t always want to expect that if the log isn’t there it doesn’t mean that it didn’t happen, maybe the log never got to the collector and never got to the sentinel.

To make sure that the log get there, use TCP.

To install syslog

apt install rsyslog

To check if syslog is listening on the port or not.

netstat -ano

To enable listening on the port 514

nano  /etc/rsyslog.conf

• Remove the comments (#) from the rsyslog.conf file

To check our interface

ifconfig

• We have eth0

To see the packets at network level, basically it says we are going to listen on port 514 on eth0

tcpdump -i eth0 port 514