Syslog server » History » Version 2
Version 1 (Charles Atkinson, 25/12/2019 10:14) → Version 2/3 (Charles Atkinson, 30/07/2020 15:06)
h1. syslog (rsyslog) server implementation
{{toc}}
h1. Introduction
This page documents a syslog (rsyslog) server implementation that results in:
* Each client having its own /srv/syslog/<FQDN> directory, including clients that identify themselves by bare hostname or by IP address directory
* The files in that directory being named as they were on the client client. Requires the client's logrotate files to include dateext
* Three year retention
h2. Related documents
None
h1. Server
h2. Directories and files
|_.Directory or file |_.Usage |
|/etc/logrotate.d/rsyslog-imudp |Rotates /srv/syslog/<FQDN>/* log files |
|/etc/rsyslog.conf |Primary configuration file; as installed by package |
|/etc/rsyslog.d/00-modules.conf |Load and configure rsyslog modules imudp (input messages by UDP) and builtin:omfile (output files)|
|/etc/rsyslog.d/10-FileFormat.template.conf |Similar to the version on all servers|
|/etc/rsyslog.d/10-templates.conf |Sets /srv/syslog/<FQDN>/<log name> paths and sets same message format as 10-FileFormat.template.conf |
|/etc/rsyslog.d/20-rulesets.conf |Equivalent to rsyslog.conf's rules; directs clients messages to individual /srv/syslog/<FQDN>/<log name> files. Associates the rules with module imudp |
|/etc/rsyslog.d/debug.conf.disabled |When .disabled removed, configures debug logging |
|/etc/rsyslog.d/postfix.conf |Installed by the postfix package |
|/srv/syslog/<FQDN>/ |Directory for all logs from a client |
|/var/log/* |Local log files, same as on all servers |
/etc/logrotate.d/rsyslog-imudp
<pre>
# Rotation for logs created by the rsyslog configuration for imudp
/srv/syslog/*/syslog
{
daily
rotate 731
dateext
dateyesterday
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
/srv/syslog/*/mail.info
/srv/syslog/*/mail.warn
/srv/syslog/*/mail.err
/srv/syslog/*/mail.log
/srv/syslog/*/daemon.log
/srv/syslog/*/kern.log
/srv/syslog/*/auth.log
/srv/syslog/*/user.log
/srv/syslog/*/lpr.log
/srv/syslog/*/cron.log
/srv/syslog/*/debug
/srv/syslog/*/messages
{
weekly
rotate 109
dateext
dateyesterday
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
</pre>
/etc/rsyslog.d/00-modules.conf
<pre>
# rsyslog config fragment for module customisation
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# Change omfile's default parameters (so they do not have to be set in every action)
# Note: setting template MyMsgFormat here was not effective
module(
load="builtin:omfile"
dirCreateMode="0750"
dirGroup="adm"
dirOwner="root"
fileCreateMode="0640"
fileGroup="adm"
fileOwner="root"
)
</pre>/etc/rsyslog.d/10-templates.conf
<pre>
# rsyslog config fragment for custom templates
# Log file paths
template (name="AuthLog" type="string" string="/srv/syslog/%FROMHOST%/auth.log") string="/srv/syslog/%HOSTNAME%/auth.log")
template (name="DaemonLog" type="string" string="/srv/syslog/%FROMHOST%/daemon.log") string="/srv/syslog/%HOSTNAME%/daemon.log")
template (name="DebugLog" type="string" string="/srv/syslog/%FROMHOST%/debug.log") string="/srv/syslog/%HOSTNAME%/debug.log")
template (name="KernLog" type="string" string="/srv/syslog/%FROMHOST%/kern.log") string="/srv/syslog/%HOSTNAME%/kern.log")
template (name="MailError" type="string" string="/srv/syslog/%FROMHOST%/mail.error") string="/srv/syslog/%HOSTNAME%/mail.error")
template (name="MailInfo" type="string" string="/srv/syslog/%FROMHOST%/mail.info") string="/srv/syslog/%HOSTNAME%/mail.info")
template (name="MailLog" type="string" string="/srv/syslog/%FROMHOST%/mail.log") string="/srv/syslog/%HOSTNAME%/mail.log")
template (name="MailWarn" type="string" string="/srv/syslog/%FROMHOST%/mail.warn") string="/srv/syslog/%HOSTNAME%/mail.warn")
template (name="Messages" type="string" string="/srv/syslog/%FROMHOST%/messages") string="/srv/syslog/%HOSTNAME%/messages")
template (name="Syslog" type="string" string="/srv/syslog/%FROMHOST%/syslog") string="/srv/syslog/%HOSTNAME%/syslog")
template (name="UserLog" type="string" string="/srv/syslog/%FROMHOST%/user.log") string="/srv/syslog/%HOSTNAME%/user.log")
# Message format
template (name="MyMsgFormat" type="string"
string="%TIMESTAMP% %HOSTNAME:R,BRE,0,FIELD:^[^.]*\\.[^.]*--end:% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)
</pre>Note: <notextile>%FROMHOST%</notextile> is required as shown above to support clients that identify themselves by bare hostname or by IP address logging to their own own /srv/syslog/<FQDN> directories. It requires DNS reverse lookup. In case DNS reverse lookup is not available, <notextile>%FROMHOST%</notextile> should be replaced by <notextile>%HOSTNAME%</notextile>.
/etc/rsyslog.d/20-rulesets.conf </pre>/etc/rsyslog.d/20-rulesets.conf
<pre>
# rsyslog config fragment for custom rulesets
# Ruleset based on package's rsyslog.conf's rules for local messages
ruleset(name="imudp"){
auth,authpriv.* action(type="omfile" dynaFile="AuthLog" template="MyMsgFormat")
*.*;auth,authpriv.none action(type="omfile" dynaFile="Syslog" template="MyMsgFormat")
daemon.* action(type="omfile" dynaFile="DaemonLog" template="MyMsgFormat")
kern.* action(type="omfile" dynaFile="KernLog" template="MyMsgFormat")
mail.* action(type="omfile" dynaFile="MailLog" template="MyMsgFormat")
user.* action(type="omfile" dynaFile="UserLog" template="MyMsgFormat")
mail.info action(type="omfile" dynaFile="MailInfo" template="MyMsgFormat")
mail.warn action(type="omfile" dynaFile="MailWarn" template="MyMsgFormat")
mail.err action(type="omfile" dynaFile="MailError" template="MyMsgFormat")
*.=debug;\
auth,authpriv.none;\
news.none;mail.none action(type="omfile" dynaFile="DebugLog" template="MyMsgFormat")
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none action(type="omfile" dynaFile="Messages" template="MyMsgFormat")
}
# Use the ruleset to input module for UPD
input(type="imudp" port="514" ruleset="imudp")
</pre>/etc/rsyslog.d/debug.conf.disabled
<pre>
$DebugFile /var/log/rsyslog-debug.log
$DebugLevel 2
</pre>
h1. Clients
h2. Debian computers
/etc/rsyslog.d/00-rsyslog-server.conf
<pre>
# Format all messages with hostname as FQDN and send to <syslog server FQDN>
$PreserveFQDN on
*.* @<syslog server FQDN>
</pre>/etc/logrotate.d/rsyslog (as installed by package except for dateext and dateyesterday
<pre>
/var/log/syslog
{
rotate 7
daily
dateext
dateyesterday
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
dateext
dateyesterday
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
</pre>
h2. MikroTik routers
<pre>
/system logging action
set 3 bsd-syslog=yes remote=<syslog server address> src-address=<router address to send messages from> \
syslog-facility=local0 syslog-severity=alert
</pre>
{{toc}}
h1. Introduction
This page documents a syslog (rsyslog) server implementation that results in:
* Each client having its own /srv/syslog/<FQDN> directory, including clients that identify themselves by bare hostname or by IP address directory
* The files in that directory being named as they were on the client client. Requires the client's logrotate files to include dateext
* Three year retention
h2. Related documents
None
h1. Server
h2. Directories and files
|_.Directory or file |_.Usage |
|/etc/logrotate.d/rsyslog-imudp |Rotates /srv/syslog/<FQDN>/* log files |
|/etc/rsyslog.conf |Primary configuration file; as installed by package |
|/etc/rsyslog.d/00-modules.conf |Load and configure rsyslog modules imudp (input messages by UDP) and builtin:omfile (output files)|
|/etc/rsyslog.d/10-FileFormat.template.conf |Similar to the version on all servers|
|/etc/rsyslog.d/10-templates.conf |Sets /srv/syslog/<FQDN>/<log name> paths and sets same message format as 10-FileFormat.template.conf |
|/etc/rsyslog.d/20-rulesets.conf |Equivalent to rsyslog.conf's rules; directs clients messages to individual /srv/syslog/<FQDN>/<log name> files. Associates the rules with module imudp |
|/etc/rsyslog.d/debug.conf.disabled |When .disabled removed, configures debug logging |
|/etc/rsyslog.d/postfix.conf |Installed by the postfix package |
|/srv/syslog/<FQDN>/ |Directory for all logs from a client |
|/var/log/* |Local log files, same as on all servers |
/etc/logrotate.d/rsyslog-imudp
<pre>
# Rotation for logs created by the rsyslog configuration for imudp
/srv/syslog/*/syslog
{
daily
rotate 731
dateext
dateyesterday
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
/srv/syslog/*/mail.info
/srv/syslog/*/mail.warn
/srv/syslog/*/mail.err
/srv/syslog/*/mail.log
/srv/syslog/*/daemon.log
/srv/syslog/*/kern.log
/srv/syslog/*/auth.log
/srv/syslog/*/user.log
/srv/syslog/*/lpr.log
/srv/syslog/*/cron.log
/srv/syslog/*/debug
/srv/syslog/*/messages
{
weekly
rotate 109
dateext
dateyesterday
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
</pre>
/etc/rsyslog.d/00-modules.conf
<pre>
# rsyslog config fragment for module customisation
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# Change omfile's default parameters (so they do not have to be set in every action)
# Note: setting template MyMsgFormat here was not effective
module(
load="builtin:omfile"
dirCreateMode="0750"
dirGroup="adm"
dirOwner="root"
fileCreateMode="0640"
fileGroup="adm"
fileOwner="root"
)
</pre>/etc/rsyslog.d/10-templates.conf
<pre>
# rsyslog config fragment for custom templates
# Log file paths
template (name="AuthLog" type="string" string="/srv/syslog/%FROMHOST%/auth.log") string="/srv/syslog/%HOSTNAME%/auth.log")
template (name="DaemonLog" type="string" string="/srv/syslog/%FROMHOST%/daemon.log") string="/srv/syslog/%HOSTNAME%/daemon.log")
template (name="DebugLog" type="string" string="/srv/syslog/%FROMHOST%/debug.log") string="/srv/syslog/%HOSTNAME%/debug.log")
template (name="KernLog" type="string" string="/srv/syslog/%FROMHOST%/kern.log") string="/srv/syslog/%HOSTNAME%/kern.log")
template (name="MailError" type="string" string="/srv/syslog/%FROMHOST%/mail.error") string="/srv/syslog/%HOSTNAME%/mail.error")
template (name="MailInfo" type="string" string="/srv/syslog/%FROMHOST%/mail.info") string="/srv/syslog/%HOSTNAME%/mail.info")
template (name="MailLog" type="string" string="/srv/syslog/%FROMHOST%/mail.log") string="/srv/syslog/%HOSTNAME%/mail.log")
template (name="MailWarn" type="string" string="/srv/syslog/%FROMHOST%/mail.warn") string="/srv/syslog/%HOSTNAME%/mail.warn")
template (name="Messages" type="string" string="/srv/syslog/%FROMHOST%/messages") string="/srv/syslog/%HOSTNAME%/messages")
template (name="Syslog" type="string" string="/srv/syslog/%FROMHOST%/syslog") string="/srv/syslog/%HOSTNAME%/syslog")
template (name="UserLog" type="string" string="/srv/syslog/%FROMHOST%/user.log") string="/srv/syslog/%HOSTNAME%/user.log")
# Message format
template (name="MyMsgFormat" type="string"
string="%TIMESTAMP% %HOSTNAME:R,BRE,0,FIELD:^[^.]*\\.[^.]*--end:% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)
</pre>Note: <notextile>%FROMHOST%</notextile> is required as shown above to support clients that identify themselves by bare hostname or by IP address logging to their own own /srv/syslog/<FQDN> directories. It requires DNS reverse lookup. In case DNS reverse lookup is not available, <notextile>%FROMHOST%</notextile> should be replaced by <notextile>%HOSTNAME%</notextile>.
/etc/rsyslog.d/20-rulesets.conf </pre>/etc/rsyslog.d/20-rulesets.conf
<pre>
# rsyslog config fragment for custom rulesets
# Ruleset based on package's rsyslog.conf's rules for local messages
ruleset(name="imudp"){
auth,authpriv.* action(type="omfile" dynaFile="AuthLog" template="MyMsgFormat")
*.*;auth,authpriv.none action(type="omfile" dynaFile="Syslog" template="MyMsgFormat")
daemon.* action(type="omfile" dynaFile="DaemonLog" template="MyMsgFormat")
kern.* action(type="omfile" dynaFile="KernLog" template="MyMsgFormat")
mail.* action(type="omfile" dynaFile="MailLog" template="MyMsgFormat")
user.* action(type="omfile" dynaFile="UserLog" template="MyMsgFormat")
mail.info action(type="omfile" dynaFile="MailInfo" template="MyMsgFormat")
mail.warn action(type="omfile" dynaFile="MailWarn" template="MyMsgFormat")
mail.err action(type="omfile" dynaFile="MailError" template="MyMsgFormat")
*.=debug;\
auth,authpriv.none;\
news.none;mail.none action(type="omfile" dynaFile="DebugLog" template="MyMsgFormat")
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none action(type="omfile" dynaFile="Messages" template="MyMsgFormat")
}
# Use the ruleset to input module for UPD
input(type="imudp" port="514" ruleset="imudp")
</pre>/etc/rsyslog.d/debug.conf.disabled
<pre>
$DebugFile /var/log/rsyslog-debug.log
$DebugLevel 2
</pre>
h1. Clients
h2. Debian computers
/etc/rsyslog.d/00-rsyslog-server.conf
<pre>
# Format all messages with hostname as FQDN and send to <syslog server FQDN>
$PreserveFQDN on
*.* @<syslog server FQDN>
</pre>/etc/logrotate.d/rsyslog (as installed by package except for dateext and dateyesterday
<pre>
/var/log/syslog
{
rotate 7
daily
dateext
dateyesterday
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
dateext
dateyesterday
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
</pre>
h2. MikroTik routers
<pre>
/system logging action
set 3 bsd-syslog=yes remote=<syslog server address> src-address=<router address to send messages from> \
syslog-facility=local0 syslog-severity=alert
</pre>