Practical commands and checks to read, test and troubleshoot the logs rsyslog writes. 16.11.2025 | reading time: 2 min Rsyslog is the engine that collects and writes system messages; knowing where and how to read those files gives immediate insight into system health and suspicious activity. A broken SSH login Start by reading the files rsyslog manages and check rsyslog itself; a quick workflow looks like this: ```bash sudo tail -n 20 /var/log/auth.log Apr 11 10:15:23 server01 sshd[2345]: Failed password for invalid user admin from 203.0.113.45 port 54221 ssh2 Apr 11 10:15:25 server01 sshd[2345]: Connection closed by 203.0.113.45 port 54221 [preauth] sudo rsyslogd -N1 rsyslogd: configuration OK sudo systemctl status rsyslog --no-pager ● rsyslog.service - System Logging Service Active: active (running) since Fri 2025-04-11 09:00:00; 1h 12min ago ``` Live checks and simulated messages Watch live output and inject test messages to verify pipelines; try this to confirm messages arrive where expected: ```bash sudo logger "Test rsyslog message from admin" sudo tail -n 5 /var/log/syslog Apr 11 11:02:10 server01 logger: Test rsyslog message from admin # Or follow the file live sudo tail -f /var/log/auth.log ``` Filter, forward, and rate-limit You can filter by program or priority, forward messages to remote collectors and apply rate limits; remember that single at signs use UDP and double at signs use TCP in classic directives (for example "@loghost:514" vs "@@loghost:514"), and modern RainerScript actions provide TLS, queues and persistent spooling for reliable forwarding. Complementary utilities Use grep, awk or sed to extract patterns from files rsyslog writes, combine with logrotate to manage file growth, and compare behavior with systemd's journal when present; run `rsyslogd -N1` to validate configuration before reloads. Where to go next After you can read, test and forward logs, explore structured templates, omfwd modules and secure transport to central collectors; keep learning about Linux logging and consider pursuing certification like CompTIA Linux+ or LPIC-1, and use bitsandbytes.academy for intensive exam preparation. Join Bits & Bytes Academy First class LINUX exam preparation. utilities security troubleshooting infrastructure processes
