System Logging Configuration with Rsyslog
Rsyslog is a powerful and flexible logging system for Linux that provides a wide range of features to manage log messages from various sources. In this article, we will explore 11 essential system logging configurations that you can use with rsyslog.
1. Basic Rsyslog Configuration
To start, ensure that the rsyslog service is running and enabled on your system:
bash
sudo systemctl status rsyslog
Then, verify that the configuration file exists at /etc/rsyslog.conf:
bash
ls /etc/rsyslog.conf
2. Log Files Rotation
Rsyslog can rotate log files to prevent them from growing too large and consuming disk space. To enable log rotation for a specific log file (e.g., messages), add the following configuration to /etc/rsyslog.conf:
bash
$template RotateMsg "/var/log/messages-$date%"
/var/log/messages.* -?RotateMsg
This will rotate the messages.log file every day.
3. Remote Logging with TCP
Rsyslog can send log messages over a network connection to another system running rsyslog. To configure remote logging using TCP, add the following configuration:
“`bash
$ModLoad imtcp # Load the input module for receiving TCP connections
input(type=”imtcp” port=”514″)
$template TcpRemoteLog “/var/log/remote-%h.log”
.;kern.warning;kern.crit -?TcpRemoteLog
“`
This will send all log messages (except kernel warnings and errors) to a remote system listening on TCP port 514.
4. Remote Logging with UDP
Rsyslog can also send log messages over UDP:
“`bash
$ModLoad imudp # Load the input module for receiving UDP connections
input(type=”imudp” port=”514″)
$template UdpRemoteLog “/var/log/remote-%h.log”
.;kern.warning;kern.crit -?UdpRemoteLog
“`
This will send all log messages (except kernel warnings and errors) to a remote system listening on UDP port 514.
5. Prioritizing Log Messages
Rsyslog can prioritize log messages based on their severity:
“`bash
$template HighPriority “/var/log/high-priority.log”
*.debug -?HighPriority
$template MediumPriority “/var/log/medium-priority.log”
*.info;kern.warning;kern.crit -?MediumPriority
$template LowPriority “/var/log/low-priority.log”
. -?LowPriority
“`
This will log debug messages to a separate file, while info, warning, and critical kernel messages are logged to another file.
6. Suppressing Duplicate Log Messages
Rsyslog can suppress duplicate log messages within a certain time period:
“`bash
$template SuppressDups “/var/log/suppressed-duplicates.log”
*.info;kern.warning;kern.crit -?SuppressDups
Supress duplicates for 1 minute
$RepeatDurationFile /var/run/timeout.conf
“`
This will suppress duplicate log messages for a specified time period (in this case, one minute).
7. Customizing Log Format
Rsyslog can customize the format of log messages:
bash
$template CustomFormat "%H %p: %m\n"
*.info;kern.warning;kern.crit -?CustomFormat
This will change the default log format to include the hostname, priority level, and message text.
8. Using Log Tags
Rsyslog can use log tags to categorize and prioritize log messages:
“`bash
$template Tagged “/var/log/tagged.log”
*.info;kern.warning;kern.crit -?Tagged
$template Untagged “/var/log/untagged.log”
. -?Untagged
“`
This will separate tagged log messages from untagged ones.
9. Setting up a Centralized Log Server
Rsyslog can be used to set up a centralized log server that collects logs from multiple clients:
“`bash
$template RemoteClients “/var/log/remote-clients.log”
.;kern.warning;kern.crit -?RemoteClients
On client systems:
$ModLoad imtcp # Load the input module for receiving TCP connections
input(type=”imtcp” port=”514″)
$template LocalLog “/var/log/local.log”
*.info;kern.warning;kern.crit -?LocalLog
“`
This will collect log messages from multiple clients and store them on a centralized server.
10. Using a Log Rotation Script
Rsyslog can be used with a log rotation script to automate the process of rotating logs:
“`bash
!/bin/bash
Rotate logs for yesterday
find /var/log -name “*-yesterday.log” | while read file; do
mv “$file” “${file%yesterday}-yesterday-old”
done
Create new log files for today and tomorrow
touch /var/log/.log-1
touch /var/log/.log-2
“`
This script will rotate logs from yesterday, create a new log file for today, and prepare one for tomorrow.
11. Monitoring Log Messages in Real-Time
Rsyslog can be used to monitor log messages in real-time using the rsyslogd service:
bash
sudo systemctl status rsyslog
This will show the current status of the rsyslog service, which includes a list of log messages that have been received within the past few seconds.
In this article, we have explored 11 essential system logging configurations that can be used with rsyslog to manage and prioritize log messages. These configurations cover remote logging, log file rotation, prioritizing log messages, suppressing duplicates, customizing log formats, using log tags, setting up a centralized log server, using a log rotation script, and monitoring log messages in real-time. By implementing these configurations, you can improve the performance and reliability of your system’s logging capabilities.
