System Logging Configurations with Rsyslog
Rsyslog is a reliable and feature-rich system logging daemon that can be used to collect log messages from various sources, including devices, applications, and services. In this article, we will explore 7 common system logging configurations that can be achieved using rsyslog.
1. Basic Configuration
A basic configuration of rsyslog involves specifying the input source (e.g., kernel logs, user-space logs), configuring a log file for each type of message, and setting up a rotation policy to manage log file size.
/etc/rsyslog.conf
“`markdown
File created by default by rsyslog package
If you want to use a different name, be aware that it must end in “.conf”
First some definitions which our configuration relies on.
module(load=”imuxsock”) # creates shoebox for kernel logger and user-space logs
module(load=”imklog” ) # reads kernel messages from /proc/kmsg (all kernel output!)
This tells rsyslog to start up with the default settings, just like before
-i 0 means that we are not looking for remote connections
Start all available modules, by default they are set to enabled.
$ModLoad imuxsock # creates shoebox for kernel logger and user-space logs
$ModLoad imklog # reads kernel messages from /proc/kmsg (all kernel output!)
Accept messages from local console (e.g. klogd), even if the system
has no console users. This will save disk space on busy systems.
$ModLoad imuxsock
Enable some input modules that are not enabled by default
$ModLoad imklog # reads kernel messages from /proc/kmsg (all kernel output!)
Include all config files in /etc/rsyslog.d/
include_file /etc/rsyslog.d/*.conf
“`
2. Centralized Logging
In a centralized logging configuration, logs are collected from multiple hosts and stored on a central server. This setup is useful for monitoring large-scale systems where log analysis is necessary.
Host Configuration
On each host:
“`markdown
/etc/rsyslog.conf
$ModLoad imuxsock # creates shoebox for kernel logger and user-space logs
$ModLoad imklog # reads kernel messages from /proc/kmsg (all kernel output!)
$FileRSYSLOGD-9999
.;*.=debug;\
file=”/var/log/syslog-host” # Log to this host-specific log file
“`
Central Server Configuration
On the central server:
“`markdown
/etc/rsyslog.conf
Accept messages from all hosts, even if they are not running rsyslogd.
.;*.=debug;\
file=”/var/log/syslog-central”
“`
3. Remote Logging
In a remote logging configuration, logs are collected from multiple hosts and forwarded to a central server over the network.
Host Configuration
On each host:
“`markdown
/etc/rsyslog.conf
$ModLoad imuxsock # creates shoebox for kernel logger and user-space logs
$ModLoad imklog # reads kernel messages from /proc/kmsg (all kernel output!)
.;*.=debug;\
@127.0.0.1:514
“`
Central Server Configuration
On the central server:
“`markdown
/etc/rsyslog.conf
Accept messages from all hosts, even if they are not running rsyslogd.
$ModLoad imudp # reads UDP messages on port 514 (default for remote logging)
$InputUDPAddr @127.0.0.1:514
.;*.=debug;\
file=”/var/log/syslog-central”
“`
4. Rotating Logs
Rsyslog can be configured to rotate logs based on size, time, or other criteria.
Configuration
“`markdown
/etc/rsyslog.conf
$ModLoad imuxsock # creates shoebox for kernel logger and user-space logs
$ModLoad imklog # reads kernel messages from /proc/kmsg (all kernel output!)
.;*.=debug;\
file=”/var/log/syslog-host”
size 10M # Rotate log files when they reach this size
“`
5. Disk Space Monitoring
Rsyslog can be configured to monitor disk space and alert when it reaches a critical level.
Configuration
“`markdown
/etc/rsyslog.conf
$ModLoad imuxsock # creates shoebox for kernel logger and user-space logs
$ModLoad imklog # reads kernel messages from /proc/kmsg (all kernel output!)
.;*.=debug;\
file=”/var/log/syslog-host”
size 10M # Rotate log files when they reach this size
Monitor disk space on all filesystems.
$ModLoad impolicy # enable policy module
$InputPolicy path / # scan filesystem paths for changes
path /var/log # monitor this directory for new files
“`
6. Alerting
Rsyslog can be configured to alert administrators when certain conditions are met.
Configuration
“`markdown
/etc/rsyslog.conf
$ModLoad imuxsock # creates shoebox for kernel logger and user-space logs
$ModLoad imklog # reads kernel messages from /proc/kmsg (all kernel output!)
.;*.=debug;\
file=”/var/log/syslog-host”
Alert administrators when disk space reaches a critical level.
.;*.=debug;\
action(type=”omuser” user=root \
msgstring=”Disk space is critically low.”)
“`
7. Filtering
Rsyslog can be configured to filter out unwanted messages.
Configuration
“`markdown
/etc/rsyslog.conf
$ModLoad imuxsock # creates shoebox for kernel logger and user-space logs
$ModLoad imklog # reads kernel messages from /proc/kmsg (all kernel output!)
.;*.=debug;\
file=”/var/log/syslog-host”
level warn # Only log messages at or above the specified level
Filter out debug messages.
.;*.=debug;\
stop
“`
In this article, we have explored 7 common system logging configurations that can be achieved using rsyslog. These include basic configuration, centralized logging, remote logging, rotating logs, disk space monitoring, alerting, and filtering. By understanding these configurations, system administrators can effectively monitor their systems and ensure that log messages are properly collected, stored, and analyzed.
About the Author
