CentOS Stream 8
Sponsored Link

Rsyslog : Basic Usage
2021/07/02
 
This is Basic Usage of Rsyslog that is the Log Management Service Daemon.
[1] On CentOS Stream 8, [imjournal] module is set on Rsyslog by default.
Therefore, Rsyslog imports syslog messages from Journald which is the systemd log management service.
[root@dlp ~]#
grep imjournal /etc/rsyslog.conf

module(load="imjournal"             # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
[2] Stored rules of logging data are configured in [/etc/rsyslog.conf].
[root@dlp ~]#
grep -v -E "^#|^$" /etc/rsyslog.conf

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
module(load="imjournal"             # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

# * how to write rules : (Facility).(Priority)  (Action)
#
# ex : *.info;mail.none;authpriv.none;cron.none /var/log/messages
# ⇒ [syslog] messages of [info] Priority of all Facilities are stored in [/var/log/messages]
# ⇒ but messages of [mail], [authpriv], [cron] Facilities are not stored in [/var/log/messages]
#
# * the [-] that is added at the head of a filename means asynchronous output
#   if [-] is not added, logging data are written with synchronous output

# * Facilities
# kern             :  kernel messages
# auth             :  authentication related messages
# authpriv         :  authentication related messages (private)
# cron             :  cron or at related messages
# mail             :  mail services related messages
# news             :  news related messages
# uucp             :  uucp related messages
# daemon           :  daemon services related messages
# user             :  user level processes related messages
# lpr              :  printer related messages
# syslog           :  internal syslog related messages
# local0 - local7  :  possible to use for custom settings

# * Priorities
# emerg            :  maybe panic level troubles
# alert            :  need to correct immediately more than critical
# crit             :  need to correct immediately
# err              :  common errors, non urgent failures
# warning          :  warning messages
# notice           :  not errors but some unusual events detected
# info             :  normal operational messages
# debug            :  debug information
# none             :  none (not output)

# * if you'd like to store only specified priority messages
# add [=] like follows
# ex : kern.=crit     /dev/console
[3] If you'd like to change setting to that Rsyslog receives syslog messages from UNIX Socket, not from Ssystemd Journal by default, Configure like follows.
UNIX Socket setting is set by default on Ubuntu and so on.
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 9-13 : change like follows
# ⇒ chan ge to SysSock.Use=on
# ⇒ comment out for imjournal module
module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="on") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
#module(load="imjournal"            # provides access to the systemd journal
#       StateFile="imjournal.state") # File to store the position in the journal

[root@dlp ~]#
systemctl restart rsyslog
[4] To transfer logging data to remote Hosts, Configure like follows.
###### on Syslog Server Host (receives logging data from other Hosts) ######

[root@dlp ~]#
vi /etc/rsyslog.conf
# line 24-25 : uncomment
# line 26 : set allowed hosts to connect
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world

[root@dlp ~]#
systemctl restart rsyslog
# if firewalld is running, allow ports

[root@dlp ~]#
firewall-cmd --add-port=514/tcp

[root@dlp ~]#
firewall-cmd --runtime-to-permanent

###### on Sender Host (sends logging data to Syslog Server Host) ######

[root@node01 ~]#
vi /etc/rsyslog.conf
# add to the end

action(type="omfwd"
       queue.filename="fwdRule_dlp.srv.world"
       queue.maxdiskspace="1g"
       queue.saveonshutdown="on"
       queue.type="LinkedList"
       action.resumeRetryCount="-1"
       Target="dlp.srv.world" Port="514" Protocol="tcp")

# queue.filename               :   queue filename
# queue.maxdiskspace           :   maxdiskspace for queue
# queue.saveonshutdown=on      :   save queue data on disk when system shutdown
# queue.type=LinkedList        :   asynchronous queue which can store 10,000 messages
# action.resumeRetryCount=-1   :   continue to retry sending when syslog server does not respond
# Target=***                   :   specify syslog server Host

[root@node01 ~]#
systemctl restart rsyslog

###### that's OK, verify settings to see logs on syslog server Host ######

[root@dlp ~]#
tail /var/log/secure

Jul  2 01:21:56 dlp polkitd[844]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jul  2 01:21:57 dlp sshd[896]: Server listening on 0.0.0.0 port 22.
Jul  2 01:21:57 dlp sshd[896]: Server listening on :: port 22.
Jul  2 01:22:08 dlp systemd[1506]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jul  2 01:22:08 dlp login[1134]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jul  2 01:22:08 dlp login[1134]: DIALUP AT ttyS0 BY root
Jul  2 01:22:08 dlp login[1134]: ROOT LOGIN ON ttyS0
Jul  2 01:31:08 node01 sshd[907]: Received signal 15; terminating.
Jul  2 01:31:08 node01 sshd[1572]: Server listening on 0.0.0.0 port 22.
Jul  2 01:31:08 node01 sshd[1572]: Server listening on :: port 22.
Matched Content