Raspberry Pi Syslog Server: Collect and Analyze Network Logs

A dedicated syslog server is one of the most useful tools you can add to a home lab or small office network. It aggregates log messages from routers, managed switches, access points, IP cameras, and IoT devices into one searchable, persistent store — giving you visibility into what is happening on your network that device web interfaces simply cannot provide. A Raspberry Pi, with its low power draw (3–5 W), reliable Linux base, and large-capacity microSD or USB storage, is an ideal platform for a 24/7 syslog server. This guide covers everything from installation to log analysis.

Table of Contents

• Why Run Your Own Syslog Server
• Hardware and OS Selection
• Setting Up rsyslog as a Syslog Server
• Configuring Network Devices to Send Logs
• Log Rotation and Storage Management
• Analyzing Logs: grep, awk, and Graylog
• Securing Your Syslog Infrastructure
• FAQ

Why Run Your Own Syslog Server

Most consumer routers and managed switches support syslog but have no local storage for logs — they send messages to a UDP port and forget them. Without a receiver, those messages vanish. Common scenarios where a syslog server pays immediate dividends:

• Security investigations: After a suspected intrusion, router auth logs reveal failed and successful login attempts with timestamps and source IPs
• Network troubleshooting: Switch port flapping, DHCP pool exhaustion, and ARP conflicts all generate syslog messages that point directly at the problem device
• IoT device monitoring: ESP32, Arduino Ethernet, and similar devices can be programmed to send structured syslog messages when sensors exceed thresholds
• Compliance: Small businesses handling payment data often need to demonstrate log retention — a Pi syslog server on a 256 GB microSD easily stores 6–12 months of logs for a typical SMB network

A Raspberry Pi running rsyslog handles thousands of log messages per second — far more than any home or small office generates. The bottleneck is always the network and the storage write speed, not the CPU.

Hardware and OS Selection

Any Raspberry Pi from Pi 3B+ onward works well as a syslog server. Selection criteria:

• Pi 4 or Pi 5: Best for large log volumes (enterprise-grade switches/routers), running Graylog or Elasticsearch for advanced analysis, or acting as a multi-purpose server alongside syslog
• Pi Zero 2 W: Adequate for home networks with 10–20 devices; lower power draw (~1.5 W) at the cost of only 512 MB RAM — limits Graylog but fine for raw rsyslog
• Storage: A high-endurance microSD (Samsung Pro Endurance or SanDisk Max Endurance) is essential — syslog writes continuously and kills consumer-grade cards within months. A USB SSD (via USB 3.0 on Pi 4/5) is the best option for production deployments
• Network: Use wired Ethernet, not WiFi — log messages must not be dropped, and the Pi needs a stable, predictable IP (set a DHCP reservation on your router)

Install Raspberry Pi OS Lite (64-bit, Bookworm) — no desktop environment needed for a headless server. Enable SSH during imaging with the Raspberry Pi Imager tool.

Setting Up rsyslog as a Syslog Server

rsyslog is installed by default on Raspberry Pi OS. You need to configure it to listen on UDP/TCP port 514 for incoming syslog messages from network devices.

Step 1: Enable UDP and TCP Reception

Edit the rsyslog configuration:

sudo nano /etc/rsyslog.conf

Uncomment or add these lines near the top of the file:

# Enable UDP reception
module(load="imudp")
input(type="imudp" port="514")

# Enable TCP reception (more reliable, prevents UDP packet loss)
module(load="imtcp")
input(type="imtcp" port="514")

Step 2: Configure Per-Device Log Files

Storing all remote logs in a single file makes them hard to search. Instead, create a template that separates logs by the sending host’s IP or hostname:

# Template: one directory per remote host, one file per day
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log"

# Apply template to all remote messages (note the & to continue processing)
if $fromhost-ip != '127.0.0.1' then {
    action(type="omfile" DynaFile="RemoteLogs" FileCreateMode="0640" DirCreateMode="0750")
    stop
}

Save this to /etc/rsyslog.d/10-remote.conf. Create the log directory:

sudo mkdir -p /var/log/remote
sudo chown syslog:adm /var/log/remote

Step 3: Open Port 514 in the Firewall

sudo ufw allow 514/udp
sudo ufw allow 514/tcp

Step 4: Restart rsyslog

sudo systemctl restart rsyslog
sudo systemctl status rsyslog

Verify the server is listening:

ss -ulnp | grep 514   # UDP
ss -tlnp | grep 514   # TCP

Alternative: syslog-ng

syslog-ng is a more modern alternative with better performance on high-volume deployments and a cleaner configuration syntax. Install it with sudo apt install syslog-ng (it replaces rsyslog). The configuration pattern is similar but uses a source/destination/log block structure that many administrators find more readable.

Configuring Network Devices to Send Logs

Once the Pi syslog server is running, configure each network device to send its logs there. The procedure varies by device type:

Consumer Routers (OpenWrt / DD-WRT)

In OpenWrt: System → System → Logging tab. Set External syslog server to your Pi’s IP, port 514, UDP. In DD-WRT: Administration → Management → Remote Logging.

Cisco / Mikrotik Managed Switches

Cisco IOS: logging host 192.168.1.50 and logging trap informational. Mikrotik RouterOS: System → Logging → add rule, set remote syslog to Pi IP.

Linux Machines (Ubuntu / Debian)

Add to /etc/rsyslog.conf on the client machine:

*.* @192.168.1.50:514   # UDP (@)
*.* @@192.168.1.50:514  # TCP (@@, more reliable)

IoT Devices and Embedded Systems

For ESP32 and similar, use a lightweight syslog library like esp_syslog or implement the RFC 3164 syslog format directly over UDP — it is just a formatted string prefixed with <priority>timestamp hostname tag: message. A complete syslog send from Arduino Ethernet requires fewer than 20 lines of code.

Log Rotation and Storage Management

Syslog can generate hundreds of megabytes per day on active networks. Without rotation, logs fill the disk silently and then rsyslog starts dropping messages. Configure logrotate for the remote log directory:

sudo nano /etc/logrotate.d/remote-syslog

/var/log/remote/*/*.log {
    daily
    rotate 90          # Keep 90 days of logs
    compress           # gzip older logs
    delaycompress      # Compress previous day's log, not current
    missingok
    notifempty
    sharedscripts
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

With gzip compression, a typical home router generates less than 1 MB/day of compressed logs. A 32 GB microSD can hold years of logs from a home network.

For production deployments, monitor disk usage with a cron job that alerts when the log partition exceeds 80% capacity:

*/30 * * * * df /var/log | awk 'NR==2{if(substr($5,1,length($5)-1)+0 > 80) print "Log disk over 80%: " $5}' | mail -s "Syslog disk alert" [email protected]

Analyzing Logs: grep, awk, and Graylog

Command-Line Analysis

For quick searches, grep and awk work directly on the log files:

# All failed SSH logins from the router in the last 7 days
grep -r "authentication failure" /var/log/remote/router/ | tail -50

# Count events per hour to spot traffic spikes
awk '{print substr($1,1,13)}' /var/log/remote/firewall/2026-03-10.log | sort | uniq -c

# Extract all unique source IPs from firewall deny logs
grep "DENY" /var/log/remote/firewall/*.log | grep -oP '(?<=SRC=)d+.d+.d+.d+' | sort | uniq -c | sort -rn | head -20

Graylog (Self-Hosted SIEM)

For a proper dashboard with search, alerting, and retention policies, Graylog is the most popular self-hosted option that runs on Raspberry Pi. It requires MongoDB and Elasticsearch (or OpenSearch), making it a Pi 4/5 4 GB+ deployment. Installation is via Docker Compose for simplicity:

docker compose up -d graylog mongo elasticsearch

Configure Graylog to accept Syslog UDP input on port 5140 (not 514, since Docker maps ports), then forward from rsyslog to Graylog instead of flat files. The Graylog web interface provides full-text search across all logs with millisecond latency on a Pi 5.

Grafana + Loki (Lightweight Alternative)

Grafana Loki is significantly lighter than Graylog — it requires no Elasticsearch. Run Loki on the Pi and use promtail to tail the rsyslog flat files and push them to Loki. Grafana (also running on the Pi) provides the search and visualization UI. The entire stack uses under 300 MB RAM — viable even on Pi 4 2 GB.

Securing Your Syslog Infrastructure

Syslog over UDP (port 514) is unencrypted and unauthenticated — anyone on the same network can send fake log messages to your server. Security hardening steps:

• Bind to a specific interface: In rsyslog, set input(type="imudp" port="514" address="192.168.1.50") to only listen on the LAN interface, not the loopback or any VPN interface
• VLAN isolation: Put the syslog server on a management VLAN that IoT devices cannot reach — only network infrastructure should send logs
• TLS syslog: For Linux clients, configure rsyslog-to-rsyslog communication over TLS (TCP port 6514) with mutual certificates. Prevents log tampering and eavesdropping
• Read-only log files: Mount the log volume with noexec,nosuid options. Log files should be append-only from rsyslog’s perspective
• Immutable logs (WORM): Use chattr +a /var/log/remote (append-only attribute) for compliance deployments — even root cannot delete or modify these files without explicitly removing the attribute first

Frequently Asked Questions

How much storage do I need for a Raspberry Pi syslog server?

A typical home network with 20–30 devices generates 10–50 MB of uncompressed syslog data per day. With gzip compression (typical 10:1 ratio for log files), that is 1–5 MB/day. A 32 GB microSD holds 10–30 years of home network logs. For a small office with 50+ devices, a 256 GB USB SSD mounted at /var/log provides comfortable multi-year retention.

Can I send logs from ESP32 or Arduino to a Raspberry Pi syslog server?

Yes. The syslog protocol over UDP is extremely simple — send a UDP packet to port 514 formatted as <priority>timestamp hostname appname: message. Multiple Arduino and ESP-IDF syslog libraries are available. On ESP32 with Arduino IDE, the WiFiUdp class is all you need — no additional library required for basic UDP syslog sending.

What is the difference between rsyslog and syslog-ng?

Both are RFC 3164/5424 compliant syslog daemons. rsyslog is the default on Debian/Ubuntu/Raspberry Pi OS and has more extensive documentation for beginners. syslog-ng has cleaner configuration syntax, better performance at very high message rates (100K+ messages/sec), and more flexible message routing. For home lab use, rsyslog is perfectly adequate. For production environments with many log sources, syslog-ng is worth the learning curve.

How do I search logs from a specific IP address?

If you configured per-host log directories, navigate to /var/log/remote/192.168.1.1/ (or the device hostname) and search within those files. For cross-host searches: grep -r "192.168.1.100" /var/log/remote/. With Graylog or Loki, use the query syntax in the web UI — Graylog supports Lucene-style queries like source:192.168.1.1 AND level:ERROR.

Can I forward logs from the Pi syslog server to a cloud SIEM?

Yes. rsyslog supports forwarding to cloud endpoints. For AWS CloudWatch Logs, use the omcloudwatch output module. For Splunk Cloud, configure the Splunk Universal Forwarder on the Pi. For Datadog, the rsyslog-omhttp module sends logs over HTTPS to the Datadog log intake API. This hybrid approach lets you keep 90 days locally on the Pi and forward security-relevant events to a cloud SIEM with longer retention.

A Raspberry Pi syslog server is one of the highest-value, lowest-effort additions to any home lab or small business network. Once deployed, it runs silently for years, collecting the evidence you need only when you need it — and you will always be glad it is there when something goes wrong. Find all the Raspberry Pi hardware for your network project at Zbotic.in’s Raspberry Pi section.