syslog (rsyslog) server implementation¶

• syslog (rsyslog) server implementation
• Introduction
  • Related documents
• Server
  • Directories and files
• Clients
  • Cisco Small Business series switches
  • Debian computers
  • MikroTik routers

Introduction¶

This page documents a syslog (rsyslog) server implementation that results in:

• Each client having its own /srv/syslog/<FQDN> directory, including clients that identify themselves by bare hostname or by IP address
• The files in that directory being named as they were on the client
• Three year retention

Related documents¶

• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968171

Server¶

Directories and files¶

Directory or file	Usage
/etc/logrotate.d/rsyslog-imudp	Rotates /srv/syslog/<FQDN>/* log files
/etc/rsyslog.conf	Primary configuration file; as installed by package
/etc/rsyslog.d/00-modules.conf	Load and configure rsyslog modules imudp (input messages by UDP) and builtin:omfile (output files)
/etc/rsyslog.d/10-FileFormat.template.conf	Similar to the version on all servers
/etc/rsyslog.d/10-templates.conf	Sets /srv/syslog/<FQDN>/<log name> paths and sets same message format as 10-FileFormat.template.conf
/etc/rsyslog.d/20-rulesets.conf	Equivalent to rsyslog.conf's rules; directs clients messages to individual /srv/syslog/<FQDN>/<log name> files. Associates the rules with module imudp
/etc/rsyslog.d/debug.conf.disabled	When .disabled removed, configures debug logging
/etc/rsyslog.d/postfix.conf	Installed by the postfix package
/srv/syslog/<FQDN>/	Directory for all logs from a client
/var/log/*	Local log files, same as on all servers

/etc/logrotate.d/rsyslog-imudp

# Rotation for logs created by the rsyslog configuration for imudp

/srv/syslog/*/syslog
{
    daily
    rotate 731
    dateext
    dateyesterday
    missingok
    notifempty
    delaycompress
    compress
    postrotate
        invoke-rc.d rsyslog rotate > /dev/null
    endscript
}

/srv/syslog/*/mail.info
/srv/syslog/*/mail.warn
/srv/syslog/*/mail.err
/srv/syslog/*/mail.log
/srv/syslog/*/daemon.log
/srv/syslog/*/kern.log
/srv/syslog/*/auth.log
/srv/syslog/*/user.log
/srv/syslog/*/lpr.log
/srv/syslog/*/cron.log
/srv/syslog/*/debug
/srv/syslog/*/messages
{
    weekly
    rotate 109
    dateext
    dateyesterday
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
        invoke-rc.d rsyslog rotate > /dev/null
    endscript
}

/etc/rsyslog.d/00-modules.conf

# rsyslog config fragment for module customisation

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# Change omfile's default parameters (so they do not have to be set in every action)
# Note: setting template MyMsgFormat here was not effective
module(
    load="builtin:omfile" 
    dirCreateMode="0750" 
    dirGroup="adm" 
    dirOwner="root" 
    fileCreateMode="0640" 
    fileGroup="adm" 
    fileOwner="root" 
)

/etc/rsyslog.d/10-templates.conf

# rsyslog config fragment for custom templates

# Log file paths
template (name="AuthLog"   type="string" string="/srv/syslog/%FROMHOST%/auth.log")
template (name="DaemonLog" type="string" string="/srv/syslog/%FROMHOST%/daemon.log")
template (name="DebugLog"  type="string" string="/srv/syslog/%FROMHOST%/debug.log")
template (name="KernLog"   type="string" string="/srv/syslog/%FROMHOST%/kern.log")
template (name="MailError" type="string" string="/srv/syslog/%FROMHOST%/mail.error")
template (name="MailInfo"  type="string" string="/srv/syslog/%FROMHOST%/mail.info")
template (name="MailLog"   type="string" string="/srv/syslog/%FROMHOST%/mail.log")
template (name="MailWarn"  type="string" string="/srv/syslog/%FROMHOST%/mail.warn")
template (name="Messages"  type="string" string="/srv/syslog/%FROMHOST%/messages")
template (name="Syslog"    type="string" string="/srv/syslog/%FROMHOST%/syslog")
template (name="UserLog"   type="string" string="/srv/syslog/%FROMHOST%/user.log")

# Message format
template (name="MyMsgFormat" type="string" 
    string="%TIMESTAMP% %HOSTNAME:R,BRE,0,FIELD:^[^.]*\\.[^.]*--end:% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" 
)

Notes

• %FROMHOST% is required as shown above to make clients which identify themselves by bare hostname or by IP address log to /srv/syslog/<FQDN> directories. It requires DNS reverse lookup
• In case DNS reverse lookup is not available or there are no such clients, %FROMHOST% should be replaced by %HOSTNAME%
• When %FROMHOST% is used, bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968171 may be triggered. It can be worked around by installing
  • /usr/local/etc/restart_rsyslog_on_new_dir.conf
  • /usr/local/bin/restart_rsyslog_on_new_dir.sh
  • /etc/systemd/system/restart_rsyslog_on_new_dir.service

/etc/rsyslog.d/20-rulesets.conf

# rsyslog config fragment for custom rulesets

# Ruleset based on package's rsyslog.conf's rules for local messages
ruleset(name="imudp"){
    auth,authpriv.*             action(type="omfile" dynaFile="AuthLog"   template="MyMsgFormat")
    *.*;auth,authpriv.none      action(type="omfile" dynaFile="Syslog"    template="MyMsgFormat")
    daemon.*                    action(type="omfile" dynaFile="DaemonLog" template="MyMsgFormat")
    kern.*                      action(type="omfile" dynaFile="KernLog"   template="MyMsgFormat")
    mail.*                      action(type="omfile" dynaFile="MailLog"   template="MyMsgFormat")
    user.*                      action(type="omfile" dynaFile="UserLog"   template="MyMsgFormat")
    mail.info                   action(type="omfile" dynaFile="MailInfo"  template="MyMsgFormat")
    mail.warn                   action(type="omfile" dynaFile="MailWarn"  template="MyMsgFormat")
    mail.err                    action(type="omfile" dynaFile="MailError" template="MyMsgFormat")
    *.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     action(type="omfile" dynaFile="DebugLog"  template="MyMsgFormat")
    *.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          action(type="omfile" dynaFile="Messages"  template="MyMsgFormat")
}

# Use the ruleset to input module for UPD
input(type="imudp" port="514" ruleset="imudp")

/etc/rsyslog.d/debug.conf.disabled

$DebugFile /var/log/rsyslog-debug.log
$DebugLevel 2

Clients¶

Cisco Small Business series switches¶

snmp contact "<contact>" 
snmp-server community <community name> ro view Default
snmp-server location <FQDN>
snmp-server server
snmp-server source-interface traps vlan <VLAN>
snmp-server host <rsyslog server IP address> traps version 2 <community name>

Debian computers¶

/etc/rsyslog.d/00-rsyslog-server.conf

# Format all messages with hostname as FQDN and send to <syslog server FQDN>

$PreserveFQDN on
*.* @<syslog server FQDN>

/etc/logrotate.d/rsyslog (as installed by package except for dateext and dateyesterday

/var/log/syslog
{
    rotate 7
    daily
    dateext
    dateyesterday
    missingok
    notifempty
    delaycompress
    compress
    postrotate
        invoke-rc.d rsyslog rotate > /dev/null
    endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
    rotate 4
    weekly
    dateext
    dateyesterday
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
        invoke-rc.d rsyslog rotate > /dev/null
    endscript
}

MikroTik routers¶

/system logging action
set 3 bsd-syslog=yes remote=<syslog server address> src-address=<router address to send messages from> \
    syslog-facility=local0 syslog-severity=alert