Ubuntu 22.04
Sponsored Link

Rsyslog : Basic Usage2022/08/30
 
This is Basic Usage of Rsyslog that is the Log Management Service Daemon.
[1] Stored rules of logging data are configured in [/etc/rsyslog.conf] and included files.
root@dlp:~#
grep -v -E "^#|^$" /etc/rsyslog.conf /etc/rsyslog.d/* 

/etc/rsyslog.conf:module(load="imuxsock") # provides support for local system logging
/etc/rsyslog.conf:module(load="imklog" permitnonkernelfacility="on")
/etc/rsyslog.conf:$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
/etc/rsyslog.conf:$RepeatedMsgReduction on
/etc/rsyslog.conf:$FileOwner syslog
/etc/rsyslog.conf:$FileGroup adm
/etc/rsyslog.conf:$FileCreateMode 0640
/etc/rsyslog.conf:$DirCreateMode 0755
/etc/rsyslog.conf:$Umask 0022
/etc/rsyslog.conf:$PrivDropToUser syslog
/etc/rsyslog.conf:$PrivDropToGroup syslog
/etc/rsyslog.conf:$WorkDirectory /var/spool/rsyslog
/etc/rsyslog.conf:$IncludeConfig /etc/rsyslog.d/*.conf
/etc/rsyslog.d/20-ufw.conf::msg,contains,"[UFW " /var/log/ufw.log
/etc/rsyslog.d/21-cloudinit.conf::syslogtag, isequal, "[CLOUDINIT]" /var/log/cloud-init.log
/etc/rsyslog.d/21-cloudinit.conf:& stop
/etc/rsyslog.d/50-default.conf:auth,authpriv.*                  /var/log/auth.log
/etc/rsyslog.d/50-default.conf:*.*;auth,authpriv.none           -/var/log/syslog
/etc/rsyslog.d/50-default.conf:kern.*                           -/var/log/kern.log
/etc/rsyslog.d/50-default.conf:mail.*                           -/var/log/mail.log
/etc/rsyslog.d/50-default.conf:mail.err                 /var/log/mail.err
/etc/rsyslog.d/50-default.conf:*.emerg                          :omusrmsg:*


# * how to write rules : (Facility).(Priority)  (Action)
#
# ex : *.info;mail.none;authpriv.none;cron.none /var/log/messages
# ⇒ [syslog] messages of [info] Priority of all Facilities are stored in [/var/log/messages]
# ⇒ but messages of [mail], [authpriv], [cron] Facilities are not stored in [/var/log/messages]
#
# * the [-] that is added at the head of a filename means asynchronous output
#   if [-] is not added, logging data are written with synchronous output

# * Facilities
# kern             :  kernel messages
# auth             :  authentication related messages
# authpriv         :  authentication related messages (private)
# cron             :  cron or at related messages
# mail             :  mail services related messages
# news             :  news related messages
# uucp             :  uucp related messages
# daemon           :  daemon services related messages
# user             :  user level processes related messages
# lpr              :  printer related messages
# syslog           :  internal syslog related messages
# local0 - local7  :  possible to use for custom settings

# * Priorities
# emerg            :  maybe panic level troubles
# alert            :  need to correct immediately more than critical
# crit             :  need to correct immediately
# err              :  common errors, non urgent failures
# warning          :  warning messages
# notice           :  not errors but some unusual events detected
# info             :  normal operational messages
# debug            :  debug information
# none             :  none (not output)

# * if you'd like to store only specified priority messages
# add [=] like follows
# ex : kern.=crit     /dev/console
[2] To transfer logging data to remote Hosts, Configure like follows.
###### on Syslog Server Host (receives logging data from other Hosts) ######

root@dlp:~#
vi /etc/rsyslog.conf
# line 21-22 : uncomment
line 23 : set allowed hosts to connect 
module(load="imtcp")
input(type="imtcp" port="514")
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
root@dlp:~#
systemctl restart rsyslog

###### on Sender Host (sends logging data to Syslog Server Host) ######

root@node01:~#
vi /etc/rsyslog.d/50-default.conf
# add to the end

action(type="omfwd"
       queue.filename="fwdRule_dlp.srv.world"
       queue.maxdiskspace="1g"
       queue.saveonshutdown="on"
       queue.type="LinkedList"
       action.resumeRetryCount="-1"
       Target="dlp.srv.world" Port="514" Protocol="tcp")


# queue.filename               :   queue filename
# queue.maxdiskspace           :   maxdiskspace for queue
# queue.saveonshutdown=on      :   save queue data on disk when system shutdown
# queue.type=LinkedList        :   asynchronous queue which can store 10,000 messages
# action.resumeRetryCount=-1   :   continue to retry sending when syslog server does not respond
# Target=***                   :   specify syslog server Host
root@node01:~#
systemctl restart rsyslog

###### that's OK, verify settings to see logs on syslog server Host ######

root@dlp:~#
tail /var/log/auth.log 

Aug 30 00:43:15 dlp systemd: pam_unix(systemd-user:session): session opened for user root(uid=0) by (uid=0)
Aug 30 00:43:15 dlp login[928]: ROOT LOGIN  on '/dev/ttyS0'
Aug 30 01:17:01 dlp CRON[12467]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Aug 30 01:17:01 dlp CRON[12467]: pam_unix(cron:session): session closed for user root
Aug 30 01:19:40 node01 login[670]: pam_unix(login:session): session closed for user root
Aug 30 01:19:40 node01 systemd-logind[574]: Session 1 logged out. Waiting for processes to exit.
Aug 30 01:19:40 node01 systemd-logind[574]: Removed session 1.
Aug 30 01:19:46 node01 login[832]: pam_unix(login:session): session opened for user root(uid=0) by LOGIN(uid=0)
Aug 30 01:19:46 node01 systemd-logind[574]: New session 4 of user root.
Aug 30 01:19:46 node01 login[887]: ROOT LOGIN  on '/dev/ttyS0'
Matched Content