Commands.page Logo

How to Send Sudo Logs to Remote Server in Ubuntu

Yes, you can send sudo logs to a remote server in Ubuntu to enhance security and centralize auditing. This article explains how to configure the rsyslog service to forward authentication logs, including sudo commands, to a remote syslog server. We will cover the necessary configuration changes on both the client and server sides to ensure reliable log transmission.

Prerequisites

You need two machines: the Ubuntu client generating the logs and a remote server to receive them. Both systems should have rsyslog installed, which is the default logging daemon on Ubuntu. Ensure network connectivity between the two machines on the chosen port, typically 514 for UDP or TCP.

Configure the Remote Server

On the remote server, you must enable the network listener in rsyslog to accept incoming logs. Open the rsyslog configuration file using a text editor.

sudo nano /etc/rsyslog.conf

Uncomment or add the following lines to enable UDP or TCP reception. TCP is recommended for reliability.

# Provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# Provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

Save the file and restart the rsyslog service.

sudo systemctl restart rsyslog

Ensure your firewall allows traffic on port 514.

Configure the Ubuntu Client

On the client machine, you need to tell rsyslog to forward authentication logs to the remote server. Create a new configuration file in the rsyslog directory.

sudo nano /etc/rsyslog.d/40-remote-logging.conf

Add the following line, replacing REMOTE_SERVER_IP with the actual IP address or hostname of your remote server. This rule specifically targets authentication logs where sudo events are recorded.

auth,authpriv.* @REMOTE_SERVER_IP:514

If you are using TCP, use two at signs (@@).

auth,authpriv.* @@REMOTE_SERVER_IP:514

Save the file and restart the rsyslog service on the client.

sudo systemctl restart rsyslog

Verify Log Transmission

To confirm the setup is working, execute a sudo command on the client machine.

sudo ls /root

Check the remote server’s log file, typically located at /var/log/syslog or /var/log/auth.log, depending on the server’s configuration. You should see the entry reflecting the sudo command executed on the client.

sudo tail -f /var/log/syslog

If the logs appear, your remote sudo logging is successfully configured. This setup ensures that even if the local client is compromised, the audit trail remains secure on the remote server.