System Logging Techniques with Rsyslog
Rsyslog is a reliable and feature-rich system logging daemon that provides extensive capabilities for logging system events, messages, and errors. In this article, we will delve into 11 advanced system logging techniques that can be achieved using rsyslog.
Table of Contents
- Filtering Log Messages
- Priority-Based Logging
- Facility-Based Logging
- Tagging and Coloring Logs
- Hostname-Based Logging
- IP Address-Based Logging
- Domain Name-Based Logging
- User-ID Based Logging
- Role-Based Access Control (RBAC)
- Conditional Log Output
- JSON Output and Parsing
Filtering Log Messages
Filtering log messages is an essential technique that allows you to selectively exclude or include specific log events based on their content, priority, or other attributes.
To filter log messages in rsyslog, use the if directive within a rule set. For example:
“`markdown
Filter all logs with severity
if ($msg contains “error”) then {
. /var/log/error.log;
}
“`
This configuration will send any log message containing the string “error” to the /var/log/error.log file.
Priority-Based Logging
Priority-based logging allows you to prioritize messages based on their severity (debug, info, warn, error, crit, alert, emerg).
To configure priority-based logging in rsyslog, create a series of rule sets with increasing severity:
“`markdown
Send debug logs to /var/log/debug.log
*.=debug;auth,authpriv.none /var/log/debug.log
Send info and higher severity logs to /var/log/info.log
.;auth,authpriv.none info /var/log/info.log
“`
Facility-Based Logging
Facility-based logging allows you to categorize log messages based on their facility (kernel, auth, user, mail, daemon, news, uucp, local0-7).
To configure facility-based logging in rsyslog, create separate rule sets for each facility:
“`markdown
Send kernel logs to /var/log/kernel.log
*.kern /var/log/kernel.log
Send auth and authpriv logs to /var/log/auth.log
.;auth,authpriv.none /var/log/auth.log
“`
Tagging and Coloring Logs
Tagging and coloring logs is a technique that allows you to prefix log messages with a specific string or color code.
To configure tagging and coloring logs in rsyslog, use the template directive:
“`markdown
Prefix all logs with a timestamp
$template LogFormat,”%time %msg\n”
Apply the template to all logs
. @127.0.0.1:514;LogFormat
“`
This configuration will prefix each log message with a timestamp.
Hostname-Based Logging
Hostname-based logging allows you to categorize log messages based on their source hostname.
To configure hostname-based logging in rsyslog, create separate rule sets for each hostname:
“`markdown
Send logs from host1 to /var/log/host1.log
$HostName == “host1” *.notice;auth,authpriv.none /var/log/host1.log
Send logs from host2 to /var/log/host2.log
$HostName == “host2” *.notice;auth,authpriv.none /var/log/host2.log
“`
IP Address-Based Logging
IP address-based logging allows you to categorize log messages based on their source IP address.
To configure IP address-based logging in rsyslog, create separate rule sets for each IP address:
“`markdown
Send logs from 192.168.1.100 to /var/log/192.168.1.100.log
$HostName == “192.168.1.100” *.notice;auth,authpriv.none /var/log/192.168.1.100.log
Send logs from 192.168.2.100 to /var/log/192.168.2.100.log
$HostName == “192.168.2.100” *.notice;auth,authpriv.none /var/log/192.168.2.100.log
“`
Domain Name-Based Logging
Domain name-based logging allows you to categorize log messages based on their source domain name.
To configure domain name-based logging in rsyslog, create separate rule sets for each domain name:
“`markdown
Send logs from host1.example.com to /var/log/host1.example.com.log
$HostName == “host1.example.com” *.notice;auth,authpriv.none /var/log/host1.example.com.log
Send logs from host2.example.com to /var/log/host2.example.com.log
$HostName == “host2.example.com” *.notice;auth,authpriv.none /var/log/host2.example.com.log
“`
User-ID Based Logging
User-ID based logging allows you to categorize log messages based on their source user ID.
To configure user-ID based logging in rsyslog, create separate rule sets for each user ID:
“`markdown
Send logs from user1 to /var/log/user1.log
$UserID == “user1” *.notice;auth,authpriv.none /var/log/user1.log
Send logs from user2 to /var/log/user2.log
$UserID == “user2” *.notice;auth,authpriv.none /var/log/user2.log
“`
Role-Based Access Control (RBAC)
Role-based access control (RBAC) allows you to categorize log messages based on their source role.
To configure RBAC in rsyslog, create separate rule sets for each role:
“`markdown
Send logs from user1 to /var/log/user1.log
$UserID == “user1” *.notice;auth,authpriv.none /var/log/user1.log
Send logs from user2 to /var/log/user2.log
$UserID == “user2” *.notice;auth,authpriv.none /var/log/user2.log
Send logs from user3 (role) to /var/log/user3.log
$UserID == “user3” *.notice;auth,authpriv.none /var/log/user3.log
“`
Conditional Log Output
Conditional log output allows you to selectively exclude or include specific log events based on their content, priority, or other attributes.
To configure conditional log output in rsyslog, use the if directive within a rule set. For example:
“`markdown
Exclude all logs with severity
if ($msg contains “error”) then {
. /var/log/error.log;
}
“`
JSON Output and Parsing
JSON output and parsing allows you to output log messages in JSON format and parse them on the receiving end.
To configure JSON output in rsyslog, use the template directive:
“`markdown
Output logs in JSON format
$template JSONOutput,”{\”timestamp\”:\”%time\”,\”message\”:\”%msg\”}\n”
Apply the template to all logs
. @127.0.0.1:514;JSONOutput
“`
In this article, we have explored 11 advanced system logging techniques that can be achieved using rsyslog. These techniques include filtering log messages, priority-based logging, facility-based logging, tagging and coloring logs, hostname-based logging, IP address-based logging, domain name-based logging, user-ID based logging, role-based access control (RBAC), conditional log output, and JSON output and parsing.
