{"id":2880,"date":"2022-05-23T19:44:35","date_gmt":"2022-05-23T19:44:35","guid":{"rendered":"https:\/\/dft.wiki\/?p=2880"},"modified":"2026-06-08T21:45:23","modified_gmt":"2026-06-09T01:45:23","slug":"linux-log-management-and-audit","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2880","title":{"rendered":"Linux Log Management and Audit"},"content":{"rendered":"<p><strong>INDEX<\/strong><\/p>\n<ul>\n<li><a href=\"#JournalControl\">Journal Control<\/a>\n<ul>\n<li>Used to view and manipulate Systemd logs.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Rsyslog\">Remote Syslog<\/a>\n<ul>\n<li>Forwards log messages over an IP network.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#LogRotate\">Log Rotating<\/a>\n<ul>\n<li>Allows automatic rotating, compressing, removing, and messaging of log files.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#LogWatch\">Log Watch<\/a>\n<ul>\n<li>Periodically analyzes your logs for a given period and generates a report via email or output file.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#LogCheck\">Log Check<\/a>\n<ul>\n<li>Automatically scans log files for problems and security violations, then sends the results via email.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#AuditDaemon\">Audit Daemon<\/a>\n<ul>\n<li>A powerful audit framework for logging events on Linux systems.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>SYSLOG PRIORITY\/SEVERITY LEVELS<\/strong><\/p>\n<ul>\n<li>0 &#8211; Emergency<\/li>\n<li>1 &#8211; Alert<\/li>\n<li>2 &#8211; Critical<\/li>\n<li>3 &#8211; Error<\/li>\n<li>4 &#8211; Warning &#8211; Default<\/li>\n<li>5 &#8211; Notifications<\/li>\n<li>6 &#8211; Information<\/li>\n<li>7 &#8211; Debug<\/li>\n<\/ul>\n<hr id=\"JournalControl\" \/>\n<p><strong>JOURNAL CONTROL<\/strong><\/p>\n<p>JournalCTL (aka Journal Control) is used to query the contents of the <strong>systemd journal<\/strong> (<strong>systemd-journald.service<\/strong>).<\/p>\n<p><strong>Note:<\/strong> By default, journal users can only view their own logs unless they are <strong>root<\/strong> or belong to the <strong>adm<\/strong> (or <strong>systemd-journal<\/strong>) group (<code>usermod -a -G adm userName<\/code>).<\/p>\n<ul>\n<li><strong>journalctl<\/strong>\n<ul>\n<li>Shows the full journal contents, starting with the oldest entry.<\/li>\n<\/ul>\n<\/li>\n<li>journalctl <strong>-r -n 10<\/strong>\n<ul>\n<li>Shows the journal in reverse order, limited to 10 entries (newest first).<\/li>\n<\/ul>\n<\/li>\n<li><strong>sudo<\/strong> journalctl<strong> -u ssh.service -f<\/strong>\n<ul>\n<li>Filters logs for the <code>ssh<\/code> unit and follows for real-time entries.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl &#8211;since <strong>&#8220;2021-12-31 23:59:59&#8221;<\/strong>\n<ul>\n<li>Filters entries starting from a specific date and time.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl &#8211;since <strong>&#8220;yesterday&#8221;<\/strong> -p <strong>err<\/strong>\n<ul>\n<li>Filters entries by a relative time window and priority:\n<ul>\n<li><strong>&#8211;since<\/strong> and <strong>&#8211;until<\/strong> accept strings like &#8220;today&#8221;, &#8220;1 hour ago&#8221;, &#8220;2 days ago&#8221;.<\/li>\n<li>Priorities map to <strong>syslog levels<\/strong> and can be expressed as text or numbers (&#8220;emerg&#8221;\/0, &#8220;alert&#8221;\/1, &#8220;crit&#8221;\/2, &#8220;err&#8221;\/3, &#8220;warning&#8221;\/4, &#8220;notice&#8221;\/5, &#8220;info&#8221;\/6, &#8220;debug&#8221;\/7).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl <strong>SYSLOG_IDENTIFIER=<\/strong>sshd <strong>-S<\/strong> &#8220;13:30:00&#8221; <strong>-U<\/strong> &#8220;14:00:00&#8221;\n<ul>\n<li>Filters entries by identifier and a since\/until time range.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl <strong>-k<\/strong>\n<ul>\n<li>Shows kernel messages.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl <strong>-b<\/strong>\n<ul>\n<li>Shows messages from the current boot.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl -b <strong>-2 &#8211;utc<\/strong>\n<ul>\n<li>Shows messages from two boots ago, displayed in UTC.<\/li>\n<\/ul>\n<\/li>\n<li>sudo journalctl <strong>&#8211;list-boots<\/strong>\n<ul>\n<li>Lists available boot sessions with ordinal numbers and timestamps.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Journal Clean Up<\/strong><\/p>\n<pre>sudo journalctl --verify\r\nsudo journalctl --disk-usage\r\nsudo journalctl --vacuum-size=200M\r\nsudo journalctl --vacuum-files=2\r\nsudo journalctl --vacuum-time=3d\r\nsudo journalctl --vacuum-size=1G --vacuum-time=5d --vacuum-files=5<\/pre>\n<p><strong>Customizing Configuration<\/strong><\/p>\n<pre>sudo nano \/etc\/systemd\/journald.conf<\/pre>\n<ul>\n<li><strong>Storage=<\/strong>\n<ul>\n<li>One of &#8220;volatile&#8221;, &#8220;persistent&#8221;, &#8220;auto&#8221;, or &#8220;none&#8221;.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Compress=<\/strong>\n<ul>\n<li>Suffixes like K, M, and G can be used to specify larger units.<\/li>\n<\/ul>\n<\/li>\n<li><strong>SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=, SystemMaxFiles=, RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize=, RuntimeMaxFiles=<\/strong>\n<ul>\n<li>Use these variables to set disk usage limits and prevent the journal from affecting system stability.<\/li>\n<\/ul>\n<\/li>\n<li><strong>MaxFileSec=, MaxRetentionSec=, SyncIntervalSec=<\/strong>\n<ul>\n<li>Define additional retention and synchronization parameters.<\/li>\n<\/ul>\n<\/li>\n<li><strong>ForwardToSyslog=, ForwardToKMsg=, ForwardToConsole=, ForwardToWall=, MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, MaxLevelConsole=, MaxLevelWall=<\/strong>\n<ul>\n<li>Control what messages are forwarded and where.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Finding Failures<\/strong><\/p>\n<pre>journalctl --no-pager --since today --grep 'fail|error|fatal' --output json|jq '._EXE' | sort | uniq -c | sort --numeric --reverse --key 1<\/pre>\n<hr id=\"Rsyslog\" \/>\n<p><strong>REMOTE SYSLOG<\/strong><\/p>\n<p><strong>Rsyslog<\/strong> (aka &#8220;the <strong>R<\/strong>ocket-fast <strong>SYS<\/strong>tem for <strong>LOG<\/strong> processing&#8221;) uses the standard BSD syslog protocol to send messages over IP, with support for additional protocols via extensions. The format of relayed messages can be customized.<\/p>\n<p>Locally, <strong>rsyslog<\/strong> reads the journal and sorts entries based on filters to store or output information appropriately, since the journal is ephemeral and does not persist across reboots.<\/p>\n<p><strong>Server-Side<\/strong><\/p>\n<p>Edit the configuration file:<\/p>\n<pre>sudo nano \/etc\/rsyslog.conf<\/pre>\n<p>Uncomment the following lines to listen over <strong>UDP<\/strong> (faster, recommended):<\/p>\n<pre># provides UDP syslog reception\r\nmodule(load=\"imudp\")\r\ninput(type=\"imudp\" port=\"514\")<\/pre>\n<p>Or uncomment the following lines to listen over <strong>TCP<\/strong> (more reliable):<\/p>\n<pre># provides TCP syslog reception\r\nmodule(load=\"imtcp\")\r\ninput(type=\"imtcp\" port=\"514\")<\/pre>\n<p>Right below the uncommented lines, add:<\/p>\n<pre>$template RemoteLogs,\"\/var\/log\/RemoteHosts\/%HOSTNAME%-%$now%.log\"\r\nif $fromhost-ip != '127.0.0.1' then -?RemoteLogs\r\n&amp; stop<\/pre>\n<p><strong>Note:<\/strong> This creates a template called RemoteLogs that stores logs organized by client hostname. The template is not applied to localhost, and processing stops to prevent duplicate logs. Another commonly used variable is <strong>%PROGRAMNAME%<\/strong>.<\/p>\n<p>Restart the service, verify it is listening on port 514, and monitor for incoming messages:<\/p>\n<pre>sudo systemctl restart rsyslog\r\nsudo ss -tulpn\r\nsudo tail -f \/var\/log\/messages<\/pre>\n<p><strong>Client-Side<\/strong><\/p>\n<p>Edit the configuration file:<\/p>\n<pre>sudo nano \/etc\/rsyslog.conf<\/pre>\n<p>Append the following lines:<\/p>\n<pre>*.* action(type=\"omfwd\" target=\"10.10.10.10\" port=\"514\" protocol=\"<strong>udp<\/strong>\")<\/pre>\n<p><strong>OR<\/strong><\/p>\n<pre>*.* action(type=\"omfwd\" target=\"10.10.10.10\" port=\"514\" protocol=\"<strong>tcp<\/strong>\")<\/pre>\n<p>For improved reliability over TCP, consider adding these flags:<\/p>\n<pre>*.* action(type=\"omfwd\" target=\"10.10.10.10\" port=\"514\" protocol=\"tcp\"<strong> tcp_framing=\"octet-counted\" keepalive=\"on\"<\/strong>)<\/pre>\n<p>The legacy syntax is also supported.<\/p>\n<p>For <strong>UDP<\/strong>:<\/p>\n<pre>*.* @<strong>10.10.10.10<\/strong>:514<\/pre>\n<p>For <strong>TCP<\/strong>:<\/p>\n<pre>*.* @@<strong>10.10.10.10<\/strong>:514<\/pre>\n<p><strong>Note:<\/strong> The expression <strong>*.*<\/strong> means <strong>AllFacilities<\/strong> and <strong>AllSeverityLevels<\/strong>, respectively. Replace the IP address with the IP or hostname of your server.<\/p>\n<p>Restart the service and test it:<\/p>\n<pre>sudo systemctl restart rsyslog\r\nlogger -t \"TagName\" Value\r\nlogger -t \"LocalTime\" $(date)<\/pre>\n<hr id=\"LogRotate\" \/>\n<p><strong>LOG ROTATING<\/strong><\/p>\n<p><b>Log rotation<\/b> is an automated process in which log files are compressed, moved (archived), renamed, or deleted once they become too old or too large.<\/p>\n<p>The file <code>\/etc\/logrotate.conf<\/code> contains the default configuration that applies to all log files unless overridden by a specific configuration.<\/p>\n<p>Specific configuration files must be placed in <code>\/etc\/logrotate.d<\/code>. Below is an example that can be applied to the rsyslog server setup above:<\/p>\n<pre>\/var\/log\/RemoteHosts\/*.log {\r\n  weekly \r\n  rotate 26\r\n  copytruncate\r\n  compress\r\n  delaycompress\r\n  missingok\r\n  notifempty\r\n  create 600 root root\r\n  maxsize 500M\r\n  minsize 50M\r\n}<\/pre>\n<ul>\n<li><strong>weekly<\/strong>\n<ul>\n<li>Rotates the file once a week. Can also be set to daily, monthly, or yearly.<\/li>\n<\/ul>\n<\/li>\n<li><strong>rotate 26<\/strong>\n<ul>\n<li>Keeps 26 rotated files.<\/li>\n<\/ul>\n<\/li>\n<li><strong>copytruncate<\/strong>\n<ul>\n<li>Copies the original file, then truncates it to zero bytes in place.<\/li>\n<\/ul>\n<\/li>\n<li><strong>compress<\/strong>\n<ul>\n<li>Compresses rotated files with gzip to save disk space.<\/li>\n<\/ul>\n<\/li>\n<li><strong>delaycompress<\/strong>\n<ul>\n<li>Skips compression on the first rotation; compresses all subsequent ones.<\/li>\n<\/ul>\n<\/li>\n<li><strong>missingok<\/strong>\n<ul>\n<li>Does not error if a log file is missing.<\/li>\n<\/ul>\n<\/li>\n<li><strong>notifempty<\/strong>\n<ul>\n<li>Skips rotation if the file is empty.<\/li>\n<\/ul>\n<\/li>\n<li><strong>create 600 root root<\/strong>\n<ul>\n<li>Sets the permissions on newly created log files.<\/li>\n<\/ul>\n<\/li>\n<li><strong>maxsize 500M<\/strong>\n<ul>\n<li>Rotates immediately if the file exceeds this size. Supports K (kilobytes), M (megabytes), and G (gigabytes).<\/li>\n<\/ul>\n<\/li>\n<li><strong>minsize 50M<\/strong>\n<ul>\n<li>Skips rotation if the file is below this size. Supports K, M, and G.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Additionally:<\/strong><\/p>\n<ul>\n<li><strong>sharedscripts<\/strong>\n<ul>\n<li>Runs the prerotate and postrotate scripts only once, even when rotating multiple files, rather than once per file.<\/li>\n<\/ul>\n<\/li>\n<li><strong>prerotate<\/strong>\n<ul>\n<li>A bash script block that runs before the file is rotated.<\/li>\n<li>Must end with <code>endscript<\/code>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>postrotate<\/strong>\n<ul>\n<li>A bash script block that runs after the file is rotated.<\/li>\n<li>Must end with <code>endscript<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Note:<\/strong><\/p>\n<p>Logrotate is <strong>run daily by cron<\/strong> via the script <code>\/etc\/cron.daily\/logrotate<\/code>, and also via systemd timers configured at <code>\/usr\/lib\/systemd\/system\/logrotate.timer<\/code> and <code>\/usr\/lib\/systemd\/system\/logrotate.service<\/code> (<strong>systemctl list-timers<\/strong>).<\/p>\n<p>The combination of <strong>cron<\/strong> and <strong>systemd<\/strong> allows logrotate to run within a flexible time window, helping reduce resource contention based on system load.<\/p>\n<p>To <strong>run logrotate manually<\/strong> or more frequently than daily (e.g., every 6 hours), use the <strong>-f<\/strong> (force) flag:<\/p>\n<pre>\/usr\/sbin\/logrotate <strong>-f<\/strong> \/etc\/logrotate.conf<\/pre>\n<p>Check the health of its timer:<\/p>\n<pre>systemctl status logrotate.timer<\/pre>\n<hr id=\"LogWatch\" \/>\n<p><strong>LOGWATCH<\/strong><\/p>\n<p>Logwatch is a log parser and analyzer that generates a unified activity report for a server, delivered via the command line or email.<\/p>\n<pre>sudo apt install logwatch -y\r\nsudo cp \/usr\/share\/logwatch\/default.conf\/logwatch.conf \/etc\/logwatch\/conf\/\r\nsudo nano \/etc\/logwatch\/conf\/logwatch.conf<\/pre>\n<p>Basic configuration:<\/p>\n<ul>\n<li><strong>Output = stdout<\/strong>\n<ul>\n<li>Prints the report to standard output (console) by default.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Output = mail<\/strong>\n<ul>\n<li>Sends the report by email when analysis is complete.<\/li>\n<li>See option <strong>mailer = &#8220;\/usr\/sbin\/sendmail -t&#8221;<\/strong> for additional configuration.<\/li>\n<li>Also consider using MSMTP [<a href=\"https:\/\/dft.wiki\/?p=478\">Link<\/a>] to add email capability to the system.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Format = text<\/strong>\n<ul>\n<li>The default format. Suitable for console output.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Format = html<\/strong>\n<ul>\n<li>Recommended when sending the report via email.<\/li>\n<\/ul>\n<\/li>\n<li><strong>MailTo = root<\/strong>\n<ul>\n<li>Defines the local account that will receive the report.<\/li>\n<\/ul>\n<\/li>\n<li><strong>MailTo = username@domain.com<\/strong>\n<ul>\n<li>Use a full email address to send outside the local system.<\/li>\n<\/ul>\n<\/li>\n<li><strong>MailFrom = Logwatch<\/strong>\n<ul>\n<li>Sets the sender address. Can be a local account or a full email address.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Filename = \/tmp\/logwatch<\/strong>\n<ul>\n<li>Defines where the report is saved. Requires <strong>Output<\/strong> to be set to <strong>file<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Archives = No<\/strong>\n<ul>\n<li>Uncomment to disable the archive feature, which is enabled by default.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Range = yesterday<\/strong>\n<ul>\n<li>The default range. Can also be set to Today or All.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Detail = Low<\/strong>\n<ul>\n<li>Sets the report detail level, from 0 (low) to 10 (high).<\/li>\n<\/ul>\n<\/li>\n<li><strong>Service = All<\/strong>\n<ul>\n<li>Recommended to leave as All to avoid filtering any services.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Common commands:<\/p>\n<ul>\n<li>logwatch <strong>&#8211;help<\/strong><\/li>\n<li>logwatch <strong>&#8211;range<\/strong> &#8220;-5 days&#8221;\n<ul>\n<li>Analyzes the past 5 days of logs. The default range is the previous day.<\/li>\n<\/ul>\n<\/li>\n<li>logwatch <strong>&#8211;range<\/strong> &#8220;between -7 days and -3 days&#8221; <strong>&#8211;output<\/strong> mail\n<ul>\n<li>Analyzes a specific date range and sends the report by email.<\/li>\n<\/ul>\n<\/li>\n<li>logwatch <strong>&#8211;service<\/strong> all <strong>&#8211;detail<\/strong> high <strong>&#8211;mailto<\/strong> username@domain.com\n<ul>\n<li>Sends a highly detailed report of all services to a specific email address.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr id=\"LogCheck\" \/>\n<p><strong>LOG CHECK<\/strong><\/p>\n<p>Logcheck scans logs hourly and after each reboot for notable lines, looking for signs of misuse, security violations, or system problems.<\/p>\n<pre>sudo apt install logcheck -y\r\nsudo nano \/etc\/logcheck\/logcheck.conf<\/pre>\n<p>Common configuration options:<\/p>\n<ul>\n<li>REPORTLEVEL=&#8221;server&#8221;\n<ul>\n<li>Controls the filtering sensitivity. Options range from &#8220;workstation&#8221; (low alert) to &#8220;paranoid&#8221; (highest alert).<\/li>\n<\/ul>\n<\/li>\n<li>SENDMAILTO=&#8221;logcheck&#8221;\n<ul>\n<li>Set this to the desired destination email address. E.g. <strong>SENDMAILTO=&#8221;username@domain.com&#8221;<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>To view the list of log files being monitored:<\/p>\n<pre>sudo nano \/etc\/logcheck\/logcheck.logfiles<\/pre>\n<hr id=\"AuditDaemon\" \/>\n<p><strong>AUDIT DAEMON<\/strong><\/p>\n<p><strong>auditd<\/strong> is the userspace component of the Linux Auditing System, responsible for writing audit records to disk. <strong>ausearch<\/strong> and <strong>aureport<\/strong> are the tools used to view those logs.<\/p>\n<pre>sudo apt install auditd -y\r\nsudo nano \/etc\/audit\/auditd.conf<\/pre>\n<p><strong>Common commands and temporary rules:<\/strong><\/p>\n<ul>\n<li>sudo auditctl -s\n<ul>\n<li>Shows the status of auditd.<\/li>\n<\/ul>\n<\/li>\n<li>sudo auditctl -e 1\n<ul>\n<li>Enables the audit flag.<\/li>\n<\/ul>\n<\/li>\n<li>sudo auditctl -w \/etc\/passwd -p wrsa -k passwd_watch_key\n<ul>\n<li>Watches the specified file for the following access types: <b>r<\/b>=read, <b>w<\/b>=write, <b>x<\/b>=execute, <b>a<\/b>=attribute change. Assigns an identification key for filtering.<\/li>\n<\/ul>\n<\/li>\n<li>sudo ausearch -k passwd_watch_key\n<ul>\n<li>Displays audit events matching the given key.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>To make rules persistent across reboots, append them to <code>\/etc\/audit\/rules.d\/audit.rules<\/code>:<\/p>\n<pre>-w \/etc\/passwd -p wrsa -k passwd_watch_key<\/pre>\n<p>Then restart the service:<\/p>\n<pre>sudo systemctl restart auditd<\/pre>\n<hr \/>\n<p><strong>TUI NAVIGATION<\/strong><\/p>\n<p><strong>The Log File Navigator<\/strong> (<code>LNAV<\/code>) is an excellent tool for working with logs in the terminal [<a href=\"https:\/\/lnav.org\/\">Link<\/a>]. It improves the log-reading experience with features like syntax highlighting, regex search, filtering, and the ability to merge multiple files into a single view [<a href=\"https:\/\/github.com\/tstack\/lnav\">Link<\/a>].<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5174\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58.png\" alt=\"\" width=\"1097\" height=\"543\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58.png 1097w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58-300x148.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58-1024x507.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2022\/05\/Screenshot-From-2025-11-20-18-13-58-768x380.png 768w\" sizes=\"auto, (max-width: 1097px) 100vw, 1097px\" \/><\/p>\n<p>Install with APT:<\/p>\n<pre>sudo apt install lnav -y<\/pre>\n<p>Or Brew:<\/p>\n<pre>brew install lnav<\/pre>\n<p>Common usage:<\/p>\n<pre>lnav \/var\/log\/syslog\r\nlnav \/var\/log\/syslog \/var\/log\/apache2\r\njournalctl -f | lnav<\/pre>\n<p>Key bindings:<\/p>\n<ul>\n<li><code>f<\/code> goes to the next file.<\/li>\n<li><code>e<\/code> goes to the next error.<\/li>\n<li><code>shift+e<\/code> goes to the previous error.<\/li>\n<li><code>\/<\/code> opens the search prompt.\n<ul>\n<li><code>n<\/code> goes to the next search hit.<\/li>\n<li><code>shift+n<\/code> goes to the previous hit.<\/li>\n<\/ul>\n<\/li>\n<li><code>:<\/code> opens the commands menu.\n<ul>\n<li>From here you can enable mouse mode or apply filters.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><strong>BONUS<\/strong><\/p>\n<p>Remote Syslog with <strong>syslog-ng<\/strong> [<a href=\"https:\/\/www.syslog-ng.com\/products\/open-source-log-management\/\">Link<\/a>]. Current version 3.36.1 (2022-05-25) available at [<a href=\"https:\/\/github.com\/syslog-ng\/syslog-ng\">Link<\/a>].<\/p>\n<p><strong>Install syslog-ng<\/strong> on both the server and client:<\/p>\n<pre>sudo apt-get install syslog-ng -y<\/pre>\n<p>OR (on Ubuntu\/Debian):<\/p>\n<pre>wget -qO - https:\/\/ose-repo.syslog-ng.com\/apt\/syslog-ng-ose-pub.asc | sudo apt-key add -\r\necho \"deb https:\/\/ose-repo.syslog-ng.com\/apt\/ stable ubuntu-focal\" | sudo tee -a \/etc\/apt\/sources.list.d\/syslog-ng-ose.list\r\napt-get update &amp;&amp; apt-get install syslog-ng -y<\/pre>\n<p>On the server, create <code>\/etc\/syslog-ng\/syslog-ng.conf<\/code>:<\/p>\n<pre>@version: 3.36\r\n@include \"scl.conf\"\r\noptions {\r\n    time-reap(30);\r\n    mark-freq(10);\r\n    keep-hostname(yes);\r\n};\r\nsource s_local {\r\n    system(); internal();\r\n};\r\nsource s_network {\r\n    syslog(transport(tcp));\r\n};\r\ndestination d_logs {\r\n    file(\r\n        \"\/var\/log\/syslog-ng\/${HOST}.txt\"\r\n        owner(\"root\")\r\n        group(\"root\")\r\n        perm(0755)\r\n        );\r\n    };\r\nlog {\r\n    source(s_local); source(s_network); destination(d_logs);\r\n};<\/pre>\n<p>Restart the service with <code>sudo systemctl restart syslog-ng<\/code>.<\/p>\n<p>On the client, create <code>\/etc\/syslog-ng\/syslog-ng.conf<\/code>:<\/p>\n<pre>@version: 3.36\r\n@include \"scl.conf\"\r\nsource s_local {\r\n    system(); internal();\r\n};\r\ndestination d_syslog_tcp {\r\n    syslog(\"10.10.10.10\" transport(\"tcp\") port(514));\r\n};\r\nlog {\r\n    source(s_local);destination(d_syslog_tcp);\r\n};<\/pre>\n<p>Restart the service with <code>sudo systemctl restart syslog-ng<\/code>.<\/p>\n<p>Remember to open the appropriate port on the server firewall to allow inbound connections.<\/p>\n<p>Default ports:<\/p>\n<ul>\n<li>UDP &#8211; port 514<\/li>\n<li>TCP &#8211; port 601<\/li>\n<li>TLS\/TCP &#8211; port 6514<\/li>\n<\/ul>\n<hr \/>\n<p><strong>READ MORE<\/strong><\/p>\n<ul>\n<li><strong>Centralized Log Server with GrayLog<\/strong> [<a href=\"https:\/\/dft.wiki\/?p=2928\">Link<\/a>].<\/li>\n<li>Other open-source tools for centralizing logs include <strong>Zabbix<\/strong> [<a href=\"https:\/\/www.zabbix.com\/\">Link<\/a>], <strong>Nagios<\/strong> [<a href=\"https:\/\/www.nagios.com\/\">Link<\/a>], and <strong>NXLog<\/strong> [<a href=\"https:\/\/nxlog.co\/products\/nxlog-community-edition\">Link<\/a>]. Consider trying them before deciding which best fits your needs.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>INDEX Journal Control Used to view and manipulate Systemd logs. Remote Syslog Forwards log messages [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-2880","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2880"}],"version-history":[{"count":27,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2880\/revisions"}],"predecessor-version":[{"id":5676,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2880\/revisions\/5676"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}