CentOS Stream 9
Sponsored Link

Rsyslog : Basic Usage2022/06/30

 
This is Basic Usage of Rsyslog that is the Log Management Service Daemon.
[1] On CentOS Stream 9, [imjournal] module is set on Rsyslog by default.
Therefore, Rsyslog imports syslog messages from Journald which is the systemd log management service.
[root@dlp ~]#
grep imjournal /etc/rsyslog.conf

# local messages are retrieved through imjournal now.
module(load="imjournal"             # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
[2] Stored rules of logging data are configured in [/etc/rsyslog.conf].
[root@dlp ~]#
grep -v -E "^#|^$" /etc/rsyslog.conf

global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
module(load="imjournal"             # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

# * how to write rules : (Facility).(Priority)  (Action)
#
# ex : *.info;mail.none;authpriv.none;cron.none /var/log/messages
# ⇒ [syslog] messages of [info] Priority of all Facilities are stored in [/var/log/messages]
# ⇒ but messages of [mail], [authpriv], [cron] Facilities are not stored in [/var/log/messages]
#
# * the [-] that is added at the head of a filename means asynchronous output
#   if [-] is not added, logging data are written with synchronous output

# * Facilities
# kern             :  kernel messages
# auth             :  authentication related messages
# authpriv         :  authentication related messages (private)
# cron             :  cron or at related messages
# mail             :  mail services related messages
# news             :  news related messages
# uucp             :  uucp related messages
# daemon           :  daemon services related messages
# user             :  user level processes related messages
# lpr              :  printer related messages
# syslog           :  internal syslog related messages
# local0 - local7  :  possible to use for custom settings

# * Priorities
# emerg            :  maybe panic level troubles
# alert            :  need to correct immediately more than critical
# crit             :  need to correct immediately
# err              :  common errors, non urgent failures
# warning          :  warning messages
# notice           :  not errors but some unusual events detected
# info             :  normal operational messages
# debug            :  debug information
# none             :  none (not output)

# * if you'd like to store only specified priority messages
# add [=] like follows
# ex : kern.=crit     /dev/console
[3] If you'd like to change setting to that Rsyslog receives syslog messages from UNIX Socket, not from Ssystemd Journal by default, Configure like follows.
UNIX Socket setting is set by default on Ubuntu and so on.
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 20-24 : change like follows
# ⇒ chan ge to SysSock.Use=on
# ⇒ comment out for imjournal module
module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="on") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
#module(load="imjournal"            # provides access to the systemd journal
#       StateFile="imjournal.state") # File to store the position in the journal

[root@dlp ~]#
systemctl restart rsyslog
[4] To transfer logging data to remote Hosts, Configure like follows.
###### on Syslog Server Host (receives logging data from other Hosts) ######

[root@dlp ~]#
vi /etc/rsyslog.conf
# line 35-36 : uncomment
# line 37 : set allowed hosts to connect
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world

[root@dlp ~]#
systemctl restart rsyslog
# if firewalld is running, allow ports

[root@dlp ~]#
firewall-cmd --add-port=514/tcp

[root@dlp ~]#
firewall-cmd --runtime-to-permanent

###### on Sender Host (sends logging data to Syslog Server Host) ######

[root@node01 ~]#
vi /etc/rsyslog.conf
# add to the end

action(type="omfwd"
       queue.filename="fwdRule_dlp.srv.world"
       queue.maxdiskspace="1g"
       queue.saveonshutdown="on"
       queue.type="LinkedList"
       action.resumeRetryCount="-1"
       Target="dlp.srv.world" Port="514" Protocol="tcp")

# queue.filename               :   queue filename
# queue.maxdiskspace           :   maxdiskspace for queue
# queue.saveonshutdown=on      :   save queue data on disk when system shutdown
# queue.type=LinkedList        :   asynchronous queue which can store 10,000 messages
# action.resumeRetryCount=-1   :   continue to retry sending when syslog server does not respond
# Target=***                   :   specify syslog server Host

[root@node01 ~]#
systemctl restart rsyslog

###### that's OK, verify settings to see logs on syslog server Host ######

[root@dlp ~]#
tail /var/log/secure

Jun 30 11:12:51 dlp groupadd[1758]: group added to /etc/group: name=apache, GID=48
Jun 30 11:12:51 dlp groupadd[1758]: group added to /etc/gshadow: name=apache
Jun 30 11:12:51 dlp groupadd[1758]: new group: name=apache, GID=48
Jun 30 11:12:51 dlp useradd[1765]: new user: name=apache, UID=48, GID=48, home=/usr/share/httpd, shell=/sbin/nologin, from=none
Jun 30 11:28:12 node01 login[850]: pam_unix(login:session): session closed for user root
Jun 30 11:28:18 node01 systemd[1405]: pam_unix(systemd-user:session): session opened for user cent(uid=1000) by (uid=0)
Jun 30 11:28:18 node01 login[1395]: pam_unix(login:session): session opened for user cent(uid=1000) by (uid=0)
Jun 30 11:28:18 node01 login[1395]: DIALUP AT ttyS0 BY cent
Jun 30 11:28:18 node01 login[1395]: LOGIN ON ttyS0 BY cent
Jun 30 11:28:22 node01 su[1435]: pam_unix(su-l:session): session opened for user root(uid=0) by cent(uid=1000)
Matched Content