|
Rsyslog : Basic Usage
2025/01/04 |
|
This is Basic Usage of Rsyslog that is the Log Management Service Daemon. |
|
| [1] | On CentOS Stream, [imjournal] module is set on Rsyslog by default. Therefore, Rsyslog imports syslog messages from Journald which is the systemd log management service. |
|
[root@dlp ~]# grep imjournal /etc/rsyslog.conf
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
|
| [2] | Stored rules of logging data are configured in [/etc/rsyslog.conf]. |
|
[root@dlp ~]# grep -v -E "^#|^$" /etc/rsyslog.conf
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
include(file="/etc/rsyslog.d/*.conf" mode="optional")
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
# * how to write rules : (Facility).(Priority) (Action) # # ex : *.info;mail.none;authpriv.none;cron.none /var/log/messages # ⇒ [syslog] messages of [info] Priority of all Facilities are stored in [/var/log/messages] # ⇒ but messages of [mail], [authpriv], [cron] Facilities are not stored in [/var/log/messages] # # * the [-] that is added at the head of a filename means asynchronous output # if [-] is not added, logging data are written with synchronous output # * Facilities # kern : kernel messages # auth : authentication related messages # authpriv : authentication related messages (private) # cron : cron or at related messages # mail : mail services related messages # news : news related messages # uucp : uucp related messages # daemon : daemon services related messages # user : user level processes related messages # lpr : printer related messages # syslog : internal syslog related messages # local0 - local7 : possible to use for custom settings # * Priorities # emerg : maybe panic level troubles # alert : need to correct immediately more than critical # crit : need to correct immediately # err : common errors, non urgent failures # warning : warning messages # notice : not errors but some unusual events detected # info : normal operational messages # debug : debug information # none : none (not output) # * if you'd like to store only specified priority messages # add [=] like follows # ex : kern.=crit /dev/console |
| [3] | If you'd like to change setting to that Rsyslog receives syslog messages from UNIX Socket, not from Ssystemd Journal by default, Configure like follows. UNIX Socket setting is set by default on Ubuntu and so on. |
|
[root@dlp ~]#
vi /etc/rsyslog.conf # line 17-21 : change like follows
# ⇒ chan ge to SysSock.Use=on # ⇒ comment out for imjournal module
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="on") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
#module(load="imjournal" # provides access to the systemd journal
# StateFile="imjournal.state") # File to store the position in the journal
[root@dlp ~]# systemctl restart rsyslog
|
| [4] | To transfer logging data to remote Hosts, Configure like follows. |
|
###### on Syslog Server Host (receives logging data from other Hosts) ###### [root@dlp ~]# vi /etc/rsyslog.conf # line 36-37 : uncomment
# line 38 : set allowed hosts to connect
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
[root@dlp ~]#
systemctl restart rsyslog
# if firewalld is running, allow ports [root@dlp ~]# firewall-cmd --add-port=514/tcp [root@dlp ~]# firewall-cmd --runtime-to-permanent
###### on Sender Host (sends logging data to Syslog Server Host) ###### [root@node01 ~]# vi /etc/rsyslog.conf # add to the end
action(type="omfwd"
queue.filename="fwdRule_dlp.srv.world"
queue.maxdiskspace="1g"
queue.saveonshutdown="on"
queue.type="LinkedList"
action.resumeRetryCount="-1"
Target="dlp.srv.world" Port="514" Protocol="tcp")
# queue.filename : queue filename # queue.maxdiskspace : maxdiskspace for queue # queue.saveonshutdown=on : save queue data on disk when system shutdown # queue.type=LinkedList : asynchronous queue which can store 10,000 messages # action.resumeRetryCount=-1 : continue to retry sending when syslog server does not respond # Target=*** : specify syslog server Host
[root@node01 ~]# systemctl restart rsyslog
###### that's OK, verify settings to see logs on syslog server Host ###### [root@dlp ~]# tail /var/log/secure Jan 4 10:20:48 dlp login[966]: pam_unix(login:session): session opened for user root(uid=0) by root(uid=0) Jan 4 10:20:48 dlp login[966]: DIALUP AT ttyS0 BY root Jan 4 10:20:48 dlp login[966]: ROOT LOGIN ON ttyS0 Jan 4 11:11:54 node01 sshd[919]: Received signal 15; terminating. Jan 4 11:11:54 node01 sshd[1949]: Server listening on 0.0.0.0 port 22. Jan 4 11:11:54 node01 sshd[1949]: Server listening on :: port 22. Jan 4 11:12:00 node01 groupadd[1968]: group added to /etc/group: name=apache, GID=48 Jan 4 11:12:00 node01 groupadd[1968]: group added to /etc/gshadow: name=apache Jan 4 11:12:00 node01 groupadd[1968]: new group: name=apache, GID=48 Jan 4 11:12:00 node01 useradd[1972]: new user: name=apache, UID=48, GID=48, home=/usr/share/httpd, shell=/sbin/nologin, from=none |
|
|