System Logging Configurations with Rsyslog
Rsyslog is a widely-used, open-source system logging tool that provides a robust and customizable way to collect and manage log data from various sources within your network. As a critical component of any IT infrastructure, configuring rsyslog effectively requires careful planning and attention to detail. In this article, we will explore 20 system logging configurations with rsyslog.
1. Global Configuration
The first step in configuring rsyslog is to set the global configuration parameters. This includes specifying the location where logs are stored ($WorkDirectory) and enabling or disabling logging for specific facilities like kernel, authpriv, etc.
“`markdown
Global configuration settings
$WorkDirectory /var/spool/rsyslog
$ModLoad imuxsock # provides support for systemd socket activation
Enables or disables logging for certain facilities
$Default facility level: 3 (debug level)
Enable or disable debug output
$DebugOutput no
Don’t include timestamps in messages
$TimeOrderOut yes
“`
2. Log File Rotation
Configuring log file rotation helps manage disk space by limiting the size of log files.
“`markdown
Define a new template for rotated logs
$template RotatedLogs,”/var/log/%HOSTNAME%/rotated.log”
Rotate logs after they reach a specified size (50MB in this case)
$ActionFileRSyslogRunmode rotate 50M “/etc/rsyslog.conf”
“`
3. Output to Multiple Destinations
Rsyslog can forward log messages to multiple destinations, including remote servers.
“`markdown
Configure rsyslog to output logs to both a local file and a remote server.
template name=”RemoteLogs” type=”string”/path/to/remote/log
Enable the template for this facility (in this case, authpriv)
$template RemoteAuthPriv,”RemoteLogs”
Enable the logging of authpriv events
$template AuthPrivLog,”authpriv.$NOW: $Msg%n
“`
4. Prioritization of Log Messages
Configure log message prioritization by using different levels for various facilities.
“`markdown
Prioritize messages based on severity (emergencies are highest priority)
$Default facility level: emerg; authpriv, notice; local0..2, info; .; debug
Specify priorities for specific facilities (e.g., kernel)
$template KernelLog,”kernel.$NOW: $Msg%n
“`
5. Suppressing Duplicate Logs
Prevent duplicate log messages from being stored by configuring the no-hostname option.
“`markdown
Prevents rsyslog from storing duplicate logs from the same source.
$no-hostname yes
Specify a template for hostnames, if needed (e.g., using $HOSTNAME).
$template HostnameLog,”$HOSTNAME: $Msg%n
“`
6. Monitoring and Alerting
Configure alerting mechanisms to monitor log activity.
“`markdown
Enable monitoring of rsyslog logs for security breaches.
template name=”SecurityAlerts” type=”string”/path/to/monitoring/script
Configure the logging facility level for the script (e.g., info).
$template SecurityLog,”security.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
7. Filtering Log Messages
Configure filters to only capture specific log messages.
“`markdown
Define a template for filtered logs.
$template FilteredLogs,”/var/log/%HOSTNAME%/filtered.log”
Enable filtering for the specified facility (e.g., authpriv).
$template AuthPrivLog,”authpriv.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
8. Output to a Local File
Configure rsyslog to output logs directly to a local file.
“`markdown
Define the path where logs will be stored.
$template OutputToLocal,”/var/log/%HOSTNAME%/output.log”
Specify the logging facility and priority levels for this template (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
9. Enable TCP Listening
Configure rsyslog to listen on a specific TCP port.
“`markdown
Specify the IP address where rsyslog will listen for incoming messages.
$Address: /var/run/rsyslogd/sock
Set the TCP port that rsyslog listens on (e.g., port 514).
$tcpPort 514
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
“`
10. Output to a UDP Server
Configure rsyslog to forward logs directly to a remote server via UDP.
“`markdown
Specify the IP address of the destination server.
$DestinationServer 192.168.1.100
Set the port where the server listens for incoming messages (e.g., port 514).
$template RemoteLogs,”udp://$DESTINATIONSERVER:514/$Msg%n
“`
11. Output to a Local Syslog Daemon
Configure rsyslog to forward logs directly to a local syslog daemon.
“`markdown
Specify the name of the local syslog daemon (e.g., /dev/log or localhost).
$template OutputToLocalSyslog,”/dev/log”
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
12. Output to a Local Network
Configure rsyslog to forward logs directly to a remote network.
“`markdown
Specify the IP address of the destination server.
$template OutputToLocalNetwork,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
13. Output to a Remote Server via TCP
Configure rsyslog to forward logs directly to a remote server via TCP.
“`markdown
Specify the IP address of the destination server.
$template OutputToRemoteViaTCP,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
14. Output to a Remote Server via UDP
Configure rsyslog to forward logs directly to a remote server via UDP.
“`markdown
Specify the IP address of the destination server.
$template OutputToRemoteViaUDP,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
15. Output to a Remote Server via TCP or UDP
Configure rsyslog to forward logs directly to a remote server using either TCP or UDP.
“`markdown
Specify the IP address of the destination server.
$template OutputToRemote,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
16. Output to a Remote Server via TCP or UDP over SSH
Configure rsyslog to forward logs directly to a remote server using either TCP or UDP, and encrypting the communication with SSH.
“`markdown
Specify the IP address of the destination server.
$template OutputToRemoteViaSSH,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
17. Output to a Remote Server via TCP or UDP over TLS
Configure rsyslog to forward logs directly to a remote server using either TCP or UDP, and encrypting the communication with TLS.
“`markdown
Specify the IP address of the destination server.
$template OutputToRemoteViaTLS,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
18. Output to a Remote Server via TCP or UDP over DTLS
Configure rsyslog to forward logs directly to a remote server using either TCP or UDP, and encrypting the communication with DTLS.
“`markdown
Specify the IP address of the destination server.
$template OutputToRemoteViaDTLS,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
19. Output to a Remote Server via TCP or UDP over IPsec
Configure rsyslog to forward logs directly to a remote server using either TCP or UDP, and encrypting the communication with IPsec.
“`markdown
Specify the IP address of the destination server.
$template OutputToRemoteViaIPSec,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
20. Output to a Remote Server via TCP or UDP over IKE
Configure rsyslog to forward logs directly to a remote server using either TCP or UDP, and encrypting the communication with IKE.
“`markdown
Specify the IP address of the destination server.
$template OutputToRemoteViaIKE,”10.1.1.100:514″
Define templates for logging different facilities (e.g., kernel).
$template KernelLog,”kernel.$NOW: $Msg%n
Set the default facility and priority levels.
$Default facility level: 3 (debug level); authpriv, notice; local0..2, info; .; debug
“`
This concludes our tutorial on configuring rsyslog to forward logs to various destinations. You can experiment with different configuration options to tailor the behavior of your log forwarding setup according to your specific needs.
