Back to tutorials
Tutorial

Linux VPS System Log Analysis Tutorial: Complete Setup with Rsyslog, Logrotate, and Real-time Monitoring for 2026

Master Linux VPS system log analysis with rsyslog configuration, logrotate automation, and real-time monitoring. Complete tutorial for 2026.

By Anurag Singh
Updated on May 10, 2026
Category: Tutorial
Share article
Linux VPS System Log Analysis Tutorial: Complete Setup with Rsyslog, Logrotate, and Real-time Monitoring for 2026

Understanding Linux System Logging Architecture

System logs serve as your primary diagnostic tool when managing a Linux VPS. They capture boot sequences, kernel messages, application errors, and security events.

Proper Linux VPS system log analysis separates successful administrators from those constantly fighting fires.

Linux centers its logging around the rsyslog daemon. This service collects messages from various sources. It routes them to appropriate files based on facility and priority levels.

You'll work with these main log files:

  • /var/log/syslog - General system messages
  • /var/log/auth.log - Authentication attempts
  • /var/log/kern.log - Kernel messages
  • /var/log/daemon.log - System service messages
  • /var/log/mail.log - Email server logs

Installing and Configuring Rsyslog

Ubuntu and Debian systems include rsyslog by default. Check if it's running:

sudo systemctl status rsyslog

If rsyslog isn't installed:

sudo apt update
sudo apt install rsyslog

Open the main configuration file at /etc/rsyslog.conf:

sudo nano /etc/rsyslog.conf

The configuration includes module loading, rules definition, and output destinations.

Here's a practical setup for enhanced logging:

# Enable UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Log all kernel messages to separate file
kern.*                         /var/log/kernel.log

# Emergency messages to all users
*.emerg                        :omusrmsg:*

# Log authentication messages to separate file
auth,authpriv.*                /var/log/auth.log

# Log mail system messages
mail.*                         /var/log/mail.log

Restart rsyslog after making changes:

sudo systemctl restart rsyslog

Setting Up Log Rotation with Logrotate

Log files grow continuously. They will consume your disk space without proper management.

Logrotate automatically compresses, removes, and creates new log files on schedule.

Create a custom configuration for system logs:

sudo nano /etc/logrotate.d/custom-logs

Add this configuration:

/var/log/syslog /var/log/auth.log /var/log/kern.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 644 syslog adm
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

This rotates logs daily, keeps 30 days of archives, and compresses old files.

Test the configuration:

sudo logrotate -d /etc/logrotate.d/custom-logs

Force rotation to verify it works:

sudo logrotate -f /etc/logrotate.d/custom-logs

Real-time Log Monitoring Setup

Real-time monitoring catches issues as they happen.

The tail command provides basic real-time viewing:

# Monitor system log in real-time
tail -f /var/log/syslog

# Monitor multiple logs simultaneously
multitail /var/log/syslog /var/log/auth.log /var/log/kern.log

Install multitail for better multi-log viewing:

sudo apt install multitail

Create a monitoring script that watches for specific patterns:

#!/bin/bash
# save as /usr/local/bin/log-monitor.sh

echo "Starting log monitoring..."
tail -f /var/log/syslog | while read line; do
    if echo "$line" | grep -q "error\|ERROR\|fail\|FAIL"; then
        echo "$(date): ALERT - $line" | tee -a /var/log/alerts.log
    fi
done

Make it executable and run in the background:

sudo chmod +x /usr/local/bin/log-monitor.sh
nohup sudo /usr/local/bin/log-monitor.sh &

Advanced Log Analysis with Command-line Tools

Several command-line tools excel at log analysis. These are the most useful for VPS administrators:

grep for pattern matching:

# Find failed login attempts
grep "Failed password" /var/log/auth.log

# Search for specific IP addresses
grep "192.168.1.100" /var/log/syslog

# Case-insensitive search with line numbers
grep -i -n "error" /var/log/syslog

awk for field extraction:

# Extract IP addresses from auth.log
awk '/Failed password/ {print $11}' /var/log/auth.log | sort | uniq -c

# Show login times and users
awk '/Accepted/ {print $1, $2, $3, $9}' /var/log/auth.log

sed for text processing:

# Remove timestamps for cleaner output
sed 's/^[A-Z][a-z][a-z] [0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]* //' /var/log/syslog

HostMyCode VPS customers get these tools pre-installed and ready for comprehensive log analysis.

Creating Custom Log Files for Applications

Applications often need dedicated log files.

Configure rsyslog to handle custom logging facilities:

sudo nano /etc/rsyslog.d/50-custom.conf

Add custom logging rules:

# Custom application logs
local0.*                       /var/log/webapp.log
local1.*                       /var/log/database.log
local2.*                       /var/log/backup.log

In your application code (PHP example):

Create logrotate configuration for custom logs:

sudo nano /etc/logrotate.d/custom-apps
/var/log/webapp.log /var/log/database.log /var/log/backup.log {
    weekly
    rotate 12
    compress
    delaycompress
    missingok
    notifempty
    create 644 root root
}

Log Security and Remote Logging

Protecting log integrity is crucial for security and compliance.

Configure secure remote logging to centralize your log management.

On the log server, configure rsyslog to receive logs:

sudo nano /etc/rsyslog.conf

Enable UDP reception:

# Enable UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

On client VPS servers, forward logs:

# Forward all logs to remote server
*.*   @log-server.example.com:514

For enhanced security, use TLS encryption.

Configure TLS on both server and client:

# Server configuration
$ModLoad imtcp
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca.pem
$DefaultNetstreamDriverCertFile /etc/ssl/certs/server.crt
$DefaultNetstreamDriverKeyFile /etc/ssl/private/server.key
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerRun 6514

Professional log management requires reliable infrastructure. HostMyCode VPS hosting provides the stability and performance needed for comprehensive log analysis and monitoring. Our managed VPS solutions include pre-configured logging environments for immediate deployment.

Troubleshooting Common Log Analysis Issues

Several issues can complicate log analysis. Here are solutions to the most common problems:

Log rotation not working: Check if logrotate runs correctly by examining /var/log/logrotate.log. Verify file permissions and ownership.

sudo logrotate -d /etc/logrotate.conf
ls -la /var/log/

Rsyslog not capturing messages: Verify the daemon is running and check configuration syntax:

sudo rsyslogd -N1
sudo systemctl status rsyslog

Disk space issues from large logs: Implement immediate cleanup and adjust rotation schedules:

# Find large log files
sudo find /var/log -type f -size +100M

# Compress large files immediately
sudo gzip /var/log/large-file.log

Missing log entries: Check if applications use syslog correctly. Verify facility and priority settings.

Performance Optimization for Log Processing

High-traffic servers generate massive log volumes.

Optimize rsyslog for performance:

sudo nano /etc/rsyslog.conf

Add performance tuning directives:

# Increase message queue size
$MainMsgQueueSize 50000
$MainMsgQueueDiscardMark 48000
$MainMsgQueueDiscardSeverity 5

# Use high precision timestamps
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Reduce sync frequency
$OMFileFlushOnTXEnd off
$OMFileFlushInterval 10

For database logging with high volume, consider buffered output:

# Buffer database writes
$ActionQueueType LinkedList
$ActionQueueFileName dbqueue
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on

Monitor rsyslog performance:

# Check rsyslog statistics
sudo kill -USR1 $(pidof rsyslogd)
sudo grep "rsyslogd-pstats" /var/log/syslog

Frequently Asked Questions

How often should I rotate log files on a VPS?

Daily rotation works well for most VPS environments. High-traffic servers may need hourly rotation. Low-activity servers can use weekly schedules.

Monitor disk space usage to find your optimal rotation frequency.

What's the difference between syslog and systemd journal?

Systemd journal stores logs in binary format. It provides advanced querying through journalctl.

Traditional syslog stores plain text files. Many modern systems use both, with journal forwarding to rsyslog for persistence.

How can I prevent log files from consuming all disk space?

Configure logrotate with appropriate rotation schedules, file count limits, and compression.

Set up disk space monitoring alerts. Consider remote log storage for long-term retention.

Is it safe to delete old log files manually?

Use logrotate instead of manual deletion to ensure proper file handling.

If you must delete manually, stop the logging service first. Delete the files, then restart the service to prevent issues.

How do I troubleshoot applications not logging to syslog?

Check if the application supports syslog output. Verify rsyslog accepts the facility and priority combination. Ensure proper permissions on log files.

Test with the logger command to verify syslog functionality.

Linux VPS System Log Analysis Tutorial: Complete Setup with Rsyslog, Logrotate, and Real-time Monitoring for 2026 | HostMyCode