System Logging Configuration with Rsyslog: A Detailed Guide
System logging is an essential aspect of system administration, providing valuable insights into system activity and enabling administrators to troubleshoot issues quickly. Rsyslog is a popular open-source system logging tool that provides powerful features for managing log messages across various systems. In this article, we will explore six common system logging configurations with rsyslog.
Prerequisites
Before diving into the configurations, ensure you have:
- Rsyslog installed on your system (version 5.x or later)
- Basic understanding of rsyslog configuration syntax and concepts
- Familiarity with Linux command-line interface and terminal navigation
Configuration 1: Simple System Logging
The first configuration is a basic setup for collecting log messages from all systems. This configuration will work as an initial step before implementing more advanced configurations.
Step 1: Create the rsyslog configuration file
bash
sudo nano /etc/rsyslog.conf
Add the following lines to the end of the file:
“`
Configuration for simple system logging
.;auth,authpriv.4 /var/log/messages
“`
Restart the rsyslog service for changes to take effect.
Step 2: Verify configuration
bash
sudo service rsyslog restart
The above configuration will write log messages from all facilities (kernel, user, etc.) and priorities (info, warn, error) to the /var/log/messages file. The auth and authpriv facilities are also written with a priority of 4.
Configuration 2: Advanced System Logging
This configuration builds upon the previous one by specifying more detailed logging rules.
Step 1: Update the rsyslog configuration file
bash
sudo nano /etc/rsyslog.conf
Add the following lines to the end of the file:
“`
Configuration for advanced system logging
kern.info /var/log/kern.log
kern.warn /var/log/warn.log
user. /var/log/user.log
mail. /var/log/mail.log
news. /var/log/news.log
local4. /var/log/local4.log
auth,authpriv.4 /var/log/auth.log
“`
Restart the rsyslog service for changes to take effect.
Step 2: Verify configuration
bash
sudo service rsyslog restart
The above configuration will write log messages from various facilities and priorities to specific log files. The kern facility has separate logs for info and warn messages, while the user, mail, news, and local4 facilities have a single log file each.
Configuration 3: Using Templates
Templates allow you to format your log messages in various ways.
Step 1: Create a template file
bash
sudo nano /etc/rsyslog.d/templates.conf
Add the following lines:
template(name="Template1" type="string"
string="/var/log/%H-%y.log")
Restart the rsyslog service for changes to take effect.
Step 2: Update the main configuration file
bash
sudo nano /etc/rsyslog.conf
Add the following lines:
“`
template (name=”Template1″ type=”string”
string=”/var/log/%H-%y.log”)
kern.info Template1
kern.warn Template1
user. Template1
mail. Template1
news. Template1
local4. Template1
auth,authpriv.4 Template1
“`
Restart the rsyslog service for changes to take effect.
Step 3: Verify configuration
bash
sudo service rsyslog restart
The above configuration will write log messages from various facilities and priorities to a single template file with the format hostname-year.log.
Configuration 4: Using Facilities
Facilities provide a way to categorize your log messages.
Step 1: Update the main configuration file
bash
sudo nano /etc/rsyslog.conf
Add the following lines:
“`
Configuration for facilities
.info;mail.none;auth,authpriv.none /var/log/messages
kern.info /var/log/kern.log
kern.warn /var/log/warn.log
user. /var/log/user.log
mail. /var/log/mail.log
news. /var/log/news.log
local4.* /var/log/local4.log
auth,authpriv.4 /var/log/auth.log
“`
Restart the rsyslog service for changes to take effect.
Step 2: Verify configuration
bash
sudo service rsyslog restart
The above configuration will write log messages from all facilities except mail and auth, authpriv with priority 4. The remaining facilities are written to their respective log files.
Configuration 5: Using Priorities
Priorities provide a way to categorize your log messages based on severity.
Step 1: Update the main configuration file
bash
sudo nano /etc/rsyslog.conf
Add the following lines:
“`
Configuration for priorities
.info;mail.none;auth,authpriv.none /var/log/messages
kern.;mail.none;auth,authpriv.none /var/log/kern.log
user.;mail.none;auth,authpriv.none /var/log/user.log
news.;mail.none;auth,authpriv.none /var/log/news.log
local4.*;mail.none;auth,authpriv.none /var/log/local4.log
kern.warning;mail.none;auth,authpriv.none /var/log/warn.log
“`
Restart the rsyslog service for changes to take effect.
Step 2: Verify configuration
bash
sudo service rsyslog restart
The above configuration will write log messages from various facilities and priorities. The kern facility has separate logs for all priorities except warning, which is written to a single log file.
Configuration 6: Using IP Address
IP addresses provide a way to filter your log messages based on the source of the message.
Step 1: Update the main configuration file
bash
sudo nano /etc/rsyslog.conf
Add the following lines:
“`
Configuration for IP address
192.168.0.100.* /var/log/ip.log
!192.168.0.100 # exclude messages from this IP address
“`
Restart the rsyslog service for changes to take effect.
Step 2: Verify configuration
bash
sudo service rsyslog restart
The above configuration will write log messages from the specified IP address to a single log file, while excluding messages from that IP address.
In conclusion, these six system logging configurations with rsyslog provide various ways to manage and filter your log messages. Remember to update the main rsyslog configuration file and restart the service for changes to take effect.
About the Author
