[system-administrators-guide] Configuring rsyslog on a Logging Server

stephenw stephenw at fedoraproject.org
Wed Jun 10 22:15:40 UTC 2015 

commit cf69f91791401e8d8014bfea3ccac28949a27d05
Author: Stephen Wadeley <swadeley at redhat.com>
Date:   Thu Jun 11 00:12:51 2015 +0200

    Configuring rsyslog on a Logging Server

 en-US/Viewing_and_Managing_Log_Files.xml |  138 ++++++++++++++++++++++++++++++
 1 files changed, 138 insertions(+), 0 deletions(-)
---
diff --git a/en-US/Viewing_and_Managing_Log_Files.xml b/en-US/Viewing_and_Managing_Log_Files.xml
index e5dcbef..919bb50 100644
--- a/en-US/Viewing_and_Managing_Log_Files.xml
+++ b/en-US/Viewing_and_Managing_Log_Files.xml
@@ -1409,6 +1409,144 @@ $ActionQueueSaveOnShutdown on
            mentioned already?  Sending syslog Messages over the Network
         </para>
     </section> -->
+    
+    </section>
+    <section id="s1-configuring_rsyslog_on_a_logging_server">
+     <title>Configuring rsyslog on a Logging Server</title>
+     <para>
+       The <systemitem class="service">rsyslog</systemitem> service provides facilities both for running a logging server and for configuring individual systems to send their log files to the logging server. See <xref linkend="ex-net_forwarding_with_queue" /> for information on client rsyslog configuration.
+     </para>
+     <para>
+        The <systemitem class="service">rsyslog</systemitem> service must be installed on the system that you intend to use as a logging server and all systems that will be configured to send logs to it. Rsyslog is installed by default in &MAJOROSVER;. If required, to ensure that it is, enter the following command as <systemitem class="username">root</systemitem>:
+     </para>
+     <screen>~]#&nbsp;<command>yum install rsyslog</command></screen>
+	<para>
+		The steps in this procedure must be followed on the system that you intend to use as your logging server. All steps in this procedure must be made as the <systemitem>root</systemitem> user:
+	</para>
+	<procedure>
+		<step>
+			<para>
+				Configure the firewall to allow <systemitem>rsyslog</systemitem> <systemitem class="protocol">TCP</systemitem> traffic.
+			</para>
+			<substeps>
+				<step>
+					<para>
+				The default port for <systemitem class="service">rsyslog</systemitem> <systemitem class="protocol">TCP</systemitem> traffic is <literal>514</literal>. To allow <systemitem class="protocol">TCP</systemitem> traffic on this port, enter a command as follows:
+					</para>
+          <screen>~]#&nbsp;<command>firewall-cmd --zone=<replaceable>zone</replaceable> --add-port=514/tcp</command>
+success</screen>
+<para>
+Where <replaceable>zone</replaceable> is the zone of the interface to use.
+</para>
+				</step>
+			</substeps>
+		</step>
+		<step>
+			<para>
+				Open the <filename>/etc/rsyslog.conf</filename> file in a text editor and proceed as follows:
+			</para>
+      <substeps>
+      <step>
+        <para>
+          Add these lines below the modules section but above the <literal>Provides UDP syslog reception</literal> section:
+        </para>
+        <screen># Define templates before the rules that use them
+
+### Per-Host Templates for Remote Systems ###
+$template TmplAuthpriv, "/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
+$template TmplMsg, "/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"</screen>
+      </step>
+				<step>
+					<para>
+          Replace the default <literal>Provides TCP syslog reception</literal> section with the following:
+					</para>
+					<screen># Provides TCP syslog reception
+$ModLoad imtcp
+# Adding this ruleset to process remote messages
+$RuleSet remote1
+authpriv.*   ?TmplAuthpriv
+*.info;mail.none;authpriv.none;cron.none   ?TmplMsg
+$RuleSet RSYSLOG_DefaultRuleset   #End the rule set by switching back to the default rule set
+$InputTCPServerBindRuleset remote1  #Define a new input and bind it to the "remote1" rule set
+$InputTCPServerRun 514</screen>
+				</step>
+			</substeps>
+			<para>
+				Save the changes to the <filename>/etc/rsyslog.conf</filename> file.
+			</para>
+		</step>
+    <step>
+      <para>
+        The <systemitem>rsyslog</systemitem> service must be running on both the logging server and the systems attempting to log to it.  
+      </para>
+      <substeps>
+        <step>
+			<para>
+				Use the <command>systemctl</command> command to start the <systemitem>rsyslog</systemitem> service.
+			</para>
+      <screen>~]#&nbsp;<userinput><command>systemctl start rsyslog</command></userinput></screen>
+		</step>
+		<step>
+			<para>
+				To ensure the <systemitem>rsyslog</systemitem> service starts automatically in future, enter the following command as root:
+			</para>
+			<screen>~]#&nbsp;<userinput><command>systemctl enable rsyslog</command></userinput></screen>
+		</step>
+      </substeps>
+    </step>
+	</procedure>
+	<para>
+		Your log server is now configured to receive and store log files from the other systems in your environment.
+	</para>
+
+  <section id="sec-Using_The_New_Template_Syntax_on_a_Logging_Server">
+  <title>Using The New Template Syntax on a Logging Server</title>
+  <para>
+    Rsyslog 7 has a number of different templates styles. The string template most closely resembles the legacy format. Reproducing the templates from the example above using the string format would look as follows:
+    <screen>template(name="TmplAuthpriv" type="string"
+         string="/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
+        )
+
+template(name="TmplMsg" type="string"
+         string="/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
+        )
+        </screen>
+  </para>
+<para>
+  These templates can also be written in the list format as follows:
+    <screen>
+template(name="TmplAuthpriv" type="list") {
+    constant(value="/var/log/remote/auth/")
+    property(name="hostname")
+    constant(value="/")
+    property(name="programname" SecurePath="replace")
+    constant(value=".log")
+    }</screen>
+  <screen>template(name="TmplMsg" type="list") {
+    constant(value="/var/log/remote/msg/")
+    property(name="hostname")
+    constant(value="/")
+    property(name="programname" SecurePath="replace")
+    constant(value=".log")
+    }</screen>
+   This template text format might be easier to read for those new to rsyslog and therefore can be easier to adapt as requirements change.</para>
+   <para>
+   To complete the change to the new syntax, we need to reproduce the module load command, add a rule set, and then bind the rule set to the protocol, port, and ruleset:
+   </para>
+<screen>
+module(load="imtcp")
+
+ruleset(name="remote1"){
+     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
+      *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")
+}
+
+input(type="imtcp" port="514" ruleset="remote1")</screen>
+   <para>
+
+   </para>
+  </section>
+ 
     </section>
     <section id="s1-using_rsyslog_modules">
       <title>Using Rsyslog Modules</title>

More information about the docs-commits mailing list