Public pages

h1. syslog (rsyslog) server implementation

{{toc}}

h1. Introduction

This page documents a syslog (rsyslog) server implementation that results in:

* Each client having its own /srv/syslog/<FQDN> directory, including clients that identify themselves by bare hostname or by IP address

* The files in that directory being named as they were on the client

* Three year retention

h2. Related documents

None

h1. Server

h2. Directories and files

|_.Directory or file |_.Usage |

|/etc/logrotate.d/rsyslog-imudp |Rotates /srv/syslog/<FQDN>/* log files |

|/etc/rsyslog.conf |Primary configuration file; as installed by package |

|/etc/rsyslog.d/00-modules.conf |Load and configure rsyslog modules imudp (input messages by UDP) and builtin:omfile (output files)|

|/etc/rsyslog.d/10-FileFormat.template.conf |Similar to the version on all servers|

|/etc/rsyslog.d/10-templates.conf |Sets /srv/syslog/<FQDN>/<log name> paths and sets same message format as 10-FileFormat.template.conf |

|/etc/rsyslog.d/20-rulesets.conf |Equivalent to rsyslog.conf's rules; directs clients messages to individual /srv/syslog/<FQDN>/<log name> files.  Associates the rules with module imudp |

|/etc/rsyslog.d/debug.conf.disabled |When .disabled removed, configures debug logging |

|/etc/rsyslog.d/postfix.conf |Installed by the postfix package |

|/srv/syslog/<FQDN>/ |Directory for all logs from a client |

|/var/log/* |Local log files, same as on all servers |

/etc/logrotate.d/rsyslog-imudp

<pre>

# Rotation for logs created by the rsyslog configuration for imudp

/srv/syslog/*/syslog

{

    daily

    rotate 731

    dateext

    dateyesterday

    missingok

    notifempty

    delaycompress

    compress

    postrotate

        invoke-rc.d rsyslog rotate > /dev/null

    endscript

}

/srv/syslog/*/mail.info

/srv/syslog/*/mail.warn

/srv/syslog/*/mail.err

/srv/syslog/*/mail.log

/srv/syslog/*/daemon.log

/srv/syslog/*/kern.log

/srv/syslog/*/auth.log

/srv/syslog/*/user.log

/srv/syslog/*/lpr.log

/srv/syslog/*/cron.log

/srv/syslog/*/debug

/srv/syslog/*/messages

{

    weekly

    rotate 109

    dateext

    dateyesterday

    missingok

    notifempty

    compress

    delaycompress

    sharedscripts

    postrotate

        invoke-rc.d rsyslog rotate > /dev/null

    endscript

}

</pre>

/etc/rsyslog.d/00-modules.conf

<pre>

# rsyslog config fragment for module customisation

# provides UDP syslog reception

module(load="imudp")

input(type="imudp" port="514")

# Change omfile's default parameters (so they do not have to be set in every action)

# Note: setting template MyMsgFormat here was not effective

module(

    load="builtin:omfile"

    dirCreateMode="0750"

    dirGroup="adm"

    dirOwner="root"

    fileCreateMode="0640"

    fileGroup="adm"

    fileOwner="root"

)

</pre>/etc/rsyslog.d/10-templates.conf

<pre>

# rsyslog config fragment for custom templates

# Log file paths

template (name="AuthLog"   type="string" string="/srv/syslog/%FROMHOST%/auth.log")

template (name="DaemonLog" type="string" string="/srv/syslog/%FROMHOST%/daemon.log")

template (name="DebugLog"  type="string" string="/srv/syslog/%FROMHOST%/debug.log")

template (name="KernLog"   type="string" string="/srv/syslog/%FROMHOST%/kern.log")

template (name="MailError" type="string" string="/srv/syslog/%FROMHOST%/mail.error")

template (name="MailInfo"  type="string" string="/srv/syslog/%FROMHOST%/mail.info")

template (name="MailLog"   type="string" string="/srv/syslog/%FROMHOST%/mail.log")

template (name="MailWarn"  type="string" string="/srv/syslog/%FROMHOST%/mail.warn")

template (name="Messages"  type="string" string="/srv/syslog/%FROMHOST%/messages")

template (name="Syslog"    type="string" string="/srv/syslog/%FROMHOST%/syslog")

template (name="UserLog"   type="string" string="/srv/syslog/%FROMHOST%/user.log")

# Message format

template (name="MyMsgFormat" type="string"

    string="%TIMESTAMP% %HOSTNAME:R,BRE,0,FIELD:^[^.]*\\.[^.]*--end:% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

)

</pre>Note: <notextile>%FROMHOST%</notextile> is required as shown above to support clients that identify themselves by bare hostname or by IP address logging to their own own /srv/syslog/<FQDN> directories.  It requires DNS reverse lookup.  In case DNS reverse lookup is not available, <notextile>%FROMHOST%</notextile> should be replaced by <notextile>%HOSTNAME%</notextile>.

/etc/rsyslog.d/20-rulesets.conf

<pre>

# rsyslog config fragment for custom rulesets

# Ruleset based on package's rsyslog.conf's rules for local messages

ruleset(name="imudp"){

    auth,authpriv.*             action(type="omfile" dynaFile="AuthLog"   template="MyMsgFormat")

    *.*;auth,authpriv.none      action(type="omfile" dynaFile="Syslog"    template="MyMsgFormat")

    daemon.*                    action(type="omfile" dynaFile="DaemonLog" template="MyMsgFormat")

    kern.*                      action(type="omfile" dynaFile="KernLog"   template="MyMsgFormat")

    mail.*                      action(type="omfile" dynaFile="MailLog"   template="MyMsgFormat")

    user.*                      action(type="omfile" dynaFile="UserLog"   template="MyMsgFormat")

    mail.info                   action(type="omfile" dynaFile="MailInfo"  template="MyMsgFormat")

    mail.warn                   action(type="omfile" dynaFile="MailWarn"  template="MyMsgFormat")

    mail.err                    action(type="omfile" dynaFile="MailError" template="MyMsgFormat")

    *.=debug;\

        auth,authpriv.none;\

        news.none;mail.none     action(type="omfile" dynaFile="DebugLog"  template="MyMsgFormat")

    *.=info;*.=notice;*.=warn;\

        auth,authpriv.none;\

        cron,daemon.none;\

        mail,news.none          action(type="omfile" dynaFile="Messages"  template="MyMsgFormat")

}

# Use the ruleset to input module for UPD

input(type="imudp" port="514" ruleset="imudp")

</pre>/etc/rsyslog.d/debug.conf.disabled

<pre>

$DebugFile /var/log/rsyslog-debug.log

$DebugLevel 2

</pre>

h1. Clients

h2. Debian computers

/etc/rsyslog.d/00-rsyslog-server.conf

<pre>

# Format all messages with hostname as FQDN and send to <syslog server FQDN>

$PreserveFQDN on

*.* @<syslog server FQDN>

</pre>/etc/logrotate.d/rsyslog (as installed by package except for dateext and dateyesterday

<pre>

/var/log/syslog

{

	rotate 7

	daily

	dateext

	dateyesterday

	missingok

	notifempty

	delaycompress

	compress

	postrotate

		invoke-rc.d rsyslog rotate > /dev/null

	endscript

}

/var/log/mail.info

/var/log/mail.warn

/var/log/mail.err

/var/log/mail.log

/var/log/daemon.log

/var/log/kern.log

/var/log/auth.log

/var/log/user.log

/var/log/lpr.log

/var/log/cron.log

/var/log/debug

/var/log/messages

{

	rotate 4

	weekly

	dateext

	dateyesterday

	missingok

	notifempty

	compress

	delaycompress

	sharedscripts

	postrotate

		invoke-rc.d rsyslog rotate > /dev/null

	endscript

}

</pre>

h2. MikroTik routers

<pre>

/system logging action

set 3 bsd-syslog=yes remote=<syslog server address> src-address=<router address to send messages from> \

    syslog-facility=local0 syslog-severity=alert

</pre>