Rsyslog : Basic Usage2024/07/02 |
This is Basic Usage of Rsyslog that is the Log Management Service Daemon.
|
|
[1] | Stored rules of logging data are configured in [/etc/rsyslog.conf] and included files. |
root@dlp:~# grep -v -E "^#|^$" /etc/rsyslog.conf /etc/rsyslog.d/* /etc/rsyslog.conf:module(load="imuxsock") # provides support for local system logging /etc/rsyslog.conf:module(load="imklog" permitnonkernelfacility="on") /etc/rsyslog.conf:$RepeatedMsgReduction on /etc/rsyslog.conf:$FileOwner syslog /etc/rsyslog.conf:$FileGroup adm /etc/rsyslog.conf:$FileCreateMode 0640 /etc/rsyslog.conf:$DirCreateMode 0755 /etc/rsyslog.conf:$Umask 0022 /etc/rsyslog.conf:$PrivDropToUser syslog /etc/rsyslog.conf:$PrivDropToGroup syslog /etc/rsyslog.conf:$WorkDirectory /var/spool/rsyslog /etc/rsyslog.conf:$IncludeConfig /etc/rsyslog.d/*.conf /etc/rsyslog.d/20-ufw.conf::msg,contains,"[UFW " /var/log/ufw.log /etc/rsyslog.d/21-cloudinit.conf::syslogtag, isequal, "[CLOUDINIT]" /var/log/cloud-init.log /etc/rsyslog.d/21-cloudinit.conf:& stop /etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log /etc/rsyslog.d/50-default.conf:*.*;auth,authpriv.none -/var/log/syslog /etc/rsyslog.d/50-default.conf:kern.* -/var/log/kern.log /etc/rsyslog.d/50-default.conf:mail.* -/var/log/mail.log /etc/rsyslog.d/50-default.conf:mail.err /var/log/mail.err /etc/rsyslog.d/50-default.conf:*.emerg :omusrmsg:* # * how to write rules : (Facility).(Priority) (Action) # # ex : *.info;mail.none;authpriv.none;cron.none /var/log/messages # ⇒ [syslog] messages of [info] Priority of all Facilities are stored in [/var/log/messages] # ⇒ but messages of [mail], [authpriv], [cron] Facilities are not stored in [/var/log/messages] # # * the [-] that is added at the head of a filename means asynchronous output # if [-] is not added, logging data are written with synchronous output # * Facilities # kern : kernel messages # auth : authentication related messages # authpriv : authentication related messages (private) # cron : cron or at related messages # mail : mail services related messages # news : news related messages # uucp : uucp related messages # daemon : daemon services related messages # user : user level processes related messages # lpr : printer related messages # syslog : internal syslog related messages # local0 - local7 : possible to use for custom settings # * Priorities # emerg : maybe panic level troubles # alert : need to correct immediately more than critical # crit : need to correct immediately # err : common errors, non urgent failures # warning : warning messages # notice : not errors but some unusual events detected # info : normal operational messages # debug : debug information # none : none (not output) # * if you'd like to store only specified priority messages # add [=] like follows # ex : kern.=crit /dev/console |
[2] | To transfer logging data to remote Hosts, Configure like follows. |
###### on Syslog Server Host (receives logging data from other Hosts) ###### root@dlp:~# vi /etc/rsyslog.conf # line 21-22 : uncomment
line 23 : set allowed hosts to connect
module(load="imtcp")
input(type="imtcp" port="514")
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
root@dlp:~#
systemctl restart rsyslog
###### on Sender Host (sends logging data to Syslog Server Host) ###### root@node01:~# vi /etc/rsyslog.d/50-default.conf # add to last line action(type="omfwd" queue.filename="fwdRule_dlp.srv.world" queue.maxdiskspace="1g" queue.saveonshutdown="on" queue.type="LinkedList" action.resumeRetryCount="-1" Target="dlp.srv.world" Port="514" Protocol="tcp") # queue.filename : queue filename # queue.maxdiskspace : maxdiskspace for queue # queue.saveonshutdown=on : save queue data on disk when system shutdown # queue.type=LinkedList : asynchronous queue which can store 10,000 messages # action.resumeRetryCount=-1 : continue to retry sending when syslog server does not respond # Target=*** : specify syslog server Host
root@node01:~# systemctl restart rsyslog
###### that's OK, verify settings to see logs on syslog server Host ###### root@dlp:~# tail /var/log/auth.log 2024-07-02T00:05:01.996288+00:00 dlp CRON[7434]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0) 2024-07-02T00:05:01.998747+00:00 dlp CRON[7434]: pam_unix(cron:session): session closed for user root 2024-07-02T00:06:19+00:00 node01 login[743]: pam_unix(login:session): session closed for user root 2024-07-02T00:06:19+00:00 node01 systemd-logind[632]: Session 1 logged out. Waiting for processes to exit. 2024-07-02T00:06:19+00:00 node01 systemd-logind[632]: Removed session 1. 2024-07-02T00:06:21+00:00 node01 login[916]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory 2024-07-02T00:06:21+00:00 node01 login[916]: PAM adding faulty module: pam_lastlog.so 2024-07-02T00:06:24+00:00 node01 login[916]: pam_unix(login:session): session opened for user root(uid=0) by root(uid=0) 2024-07-02T00:06:24+00:00 node01 systemd-logind[632]: New session 3 of user root. 2024-07-02T00:06:24+00:00 node01 login[962]: ROOT LOGIN on '/dev/ttyS0' |
Sponsored Link |
|