Rsyslog : Basic Usage2026/01/06 |
|
This is Basic Usage of Rsyslog that is the Log Management Service Daemon. |
|
| [1] | Stored rules of logging data are configured in [/etc/rsyslog.conf]. |
|
dlp:~ # grep -v -E "^#|^$" /etc/rsyslog.conf
$ModLoad immark.so
$MarkMessagePeriod 3600
$ModLoad imuxsock.so
$RepeatedMsgReduction on
$ModLoad imklog.so
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
$IncludeConfig /run/rsyslog/additional-log-sockets.conf
$IncludeConfig /etc/rsyslog.d/*.conf
if ( \
/* kernel up to warning except of firewall */ \
($syslogfacility-text == 'kern') and \
($syslogseverity <= 4 /* warning */ ) and not \
($msg contains 'IN=' and $msg contains 'OUT=') \
) or ( \
/* up to errors except of facility authpriv */ \
($syslogseverity <= 3 /* errors */ ) and not \
($syslogfacility-text == 'authpriv') \
) \
then {
/dev/tty10
|/dev/xconsole
}
*.emerg :omusrmsg:*
$IncludeConfig /etc/rsyslog.d/*.frule
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0.*;local1.* -/var/log/localmessages
local2.*;local3.* -/var/log/localmessages
local4.*;local5.* -/var/log/localmessages
local6.*;local7.* -/var/log/localmessages
# * how to write rules : (Facility).(Priority) (Action) # # ex : *.info;mail.none;authpriv.none;cron.none /var/log/messages # ⇒ [syslog] messages of [info] Priority of all Facilities are stored in [/var/log/messages] # ⇒ but messages of [mail], [authpriv], [cron] Facilities are not stored in [/var/log/messages] # # * the [-] that is added at the head of a filename means asynchronous output # if [-] is not added, logging data are written with synchronous output # * Facilities # kern : kernel messages # auth : authentication related messages # authpriv : authentication related messages (private) # cron : cron or at related messages # mail : mail services related messages # news : news related messages # uucp : uucp related messages # daemon : daemon services related messages # user : user level processes related messages # lpr : printer related messages # syslog : internal syslog related messages # local0 - local7 : possible to use for custom settings # * Priorities # emerg : maybe panic level troubles # alert : need to correct immediately more than critical # crit : need to correct immediately # err : common errors, non urgent failures # warning : warning messages # notice : not errors but some unusual events detected # info : normal operational messages # debug : debug information # none : none (not output) # * if you'd like to store only specified priority messages # add [=] like follows # ex : kern.=crit /dev/console |
| [2] | To transfer logging data to remote Hosts, Configure like follows. |
|
###### on Syslog Server Host (receives logging data from other Hosts) ###### dlp:~ # vi /etc/rsyslog.d/remote.conf # line 48 : add follows
module(load="imtcp")
input(type="imtcp" port="514")
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
dlp:~ #
systemctl restart rsyslog
# if firewalld is running, allow ports dlp:~ # firewall-cmd --add-port=514/tcp dlp:~ # firewall-cmd --runtime-to-permanent
###### on Sender Host (sends logging data to Syslog Server Host) ###### node01:~ # vi /etc/rsyslog.d/remote.conf # add to last line
action(type="omfwd"
queue.filename="fwdRule_dlp.srv.world"
queue.maxdiskspace="1g"
queue.saveonshutdown="on"
queue.type="LinkedList"
action.resumeRetryCount="-1"
Target="dlp.srv.world" Port="514" Protocol="tcp")
# queue.filename : queue filename # queue.maxdiskspace : maxdiskspace for queue # queue.saveonshutdown=on : save queue data on disk when system shutdown # queue.type=LinkedList : asynchronous queue which can store 10,000 messages # action.resumeRetryCount=-1 : continue to retry sending when syslog server does not respond # Target=*** : specify syslog server Host
node01:~ # systemctl restart rsyslog
###### that's OK, verify settings to see logs on syslog server Host ###### dlp:~ # tail -15 /var/log/messages 2026-01-06T10:16:39+09:00 node01 systemd[1]: run-user-0.mount: Deactivated successfully. 2026-01-06T10:16:39+09:00 node01 systemd[1]: user-runtime-dir@0.service: Deactivated successfully. 2026-01-06T10:16:39+09:00 node01 systemd[1]: Stopped User Runtime Directory /run/user/0. 2026-01-06T10:16:39+09:00 node01 systemd[1]: Removed slice User Slice of UID 0. 2026-01-06T10:16:40+09:00 node01 su[1223]: (to root) suse on ttyS0 2026-01-06T10:16:40+09:00 node01 su[1223]: pam_unix(su-l:session): session opened for user root(uid=0) by suse(uid=1000) 2026-01-06T10:17:13.843471+09:00 dlp systemd[1]: Stopping OpenSSH Daemon... 2026-01-06T10:17:13.851626+09:00 dlp sshd[1216]: Received signal 15; terminating. 2026-01-06T10:17:13.851750+09:00 dlp systemd[1]: sshd.service: Deactivated successfully. 2026-01-06T10:17:13.851820+09:00 dlp systemd[1]: Stopped OpenSSH Daemon. 2026-01-06T10:17:13.851900+09:00 dlp systemd[1]: Starting OpenSSH Daemon... 2026-01-06T10:17:13.859454+09:00 dlp sshd-gen-keys-start[3310]: Checking for missing server keys in /etc/ssh 2026-01-06T10:17:14.007238+09:00 dlp sshd[3315]: Server listening on 0.0.0.0 port 22. 2026-01-06T10:17:14.007444+09:00 dlp sshd[3315]: Server listening on :: port 22. 2026-01-06T10:17:14.007793+09:00 dlp systemd[1]: Started OpenSSH Daemon. |
|
|