Hello,

I'm new to Syslog/Forwarding/Syslog Server and related stuff,so basically new to Linux as well, well atleast i don't have a lot of experience to UNIX like systems.

Anyways, things i've tried already with the mentioned stuff above:
- setting up azure sentinel/splunk/elk
- setting up kiwi syslog server
- forwarding logs to logz.io

I understand how things work forwarding/listening, didn't do much config stuff so maybe thats why i have the following question:

As far as i understand all above solutions have software based applications/services and when you configure them on a specific win/linux machine they act as a syslog server.
i.e - i have set up kiwi syslog server on windows and it receives messages on udp port 514 from ubuntu machine on the same network.

However, what i want to know is if i can set up one linux machine to listen to syslog messages without installing additional software?
If yes:
1.How?
2.Where does it store the received logs from other machines?
3.What is the capacity of received logs from other machines? Is it depending on the hard drive of the receiving machine?
4.Are there any pros actually or its better/recommended to have 3rd party services installed collecting syslog?
5.Are there Syslog Server appliances or everything is software based/SaaS/PaaS?

Yes. rsyslog is installed by default on most distros. And I am certain most of your questions will be answered much better by https://www.rsyslog.com/sending-mess...syslog-server/ than by me. You might also try a web search.
1. By configuring a remote server in /etc/rsyslog.conf.
2. This is configured in /etc/rsyslog.conf as well.
3. The capacity depends on the capacity of the filesystem(s) where the logs are located.
4. It's mature and open-source. I am sure other log solutions bring their own features and advantages.
5. Appliances are also software-based I have no idea if someone sells a shrink-wrapped syslog server. Business opportunity?

1 members found this post helpful.

just to emphasize, that is rsyslog, remote syslog, not the "usual" [local] syslog daemon.

what does it mean?
isn't rsyslog enchanced syslog?
which is the 'usual' or 'default' syslog daemon?
now i'm even more confused, haha

than forget it. I wanted to say only it is a remote solution to accept logs from other hosts, not a local service.

syslog is the old original. rsyslog is indeed an enhancement, but it dates from the 1990s (still the same developer, by the way) and can be considered an industry standard now. On Linux systems, you will most likely find rsyslog, perhaps BSDs use something else.

In short, for most purposes you can assume syslog=rsyslog, especially on Linux.

No that's not true. The r stands for rocket-fast.
Both rsyslog and syslog-ng are enhanced versions of the Unix syslog.
The Unix syslog could already send remote, yet not encrypted.

most syslog daemons work the same, in default config they accept logs from local processes and write to the local disk, /var/log/messages for example.

And they can be configured to also send logs somewhere else while at same time also to accept logs from somewhere else.
The logs from other machines follow the same rules as the local ones and go to the same files, for example /var/log/messages again.

A log entry has at least
<date and time> <hostname> <message>
So you can distinguish if this entry is from this machine or from somewhere else.