[system-administrators-guide] Configuring rsyslog on a Logging Server
stephenw
stephenw at fedoraproject.org
Wed Jun 10 22:15:40 UTC 2015
commit cf69f91791401e8d8014bfea3ccac28949a27d05
Author: Stephen Wadeley <swadeley at redhat.com>
Date: Thu Jun 11 00:12:51 2015 +0200
Configuring rsyslog on a Logging Server
en-US/Viewing_and_Managing_Log_Files.xml | 138 ++++++++++++++++++++++++++++++
1 files changed, 138 insertions(+), 0 deletions(-)
---
diff --git a/en-US/Viewing_and_Managing_Log_Files.xml b/en-US/Viewing_and_Managing_Log_Files.xml
index e5dcbef..919bb50 100644
--- a/en-US/Viewing_and_Managing_Log_Files.xml
+++ b/en-US/Viewing_and_Managing_Log_Files.xml
@@ -1409,6 +1409,144 @@ $ActionQueueSaveOnShutdown on
mentioned already? Sending syslog Messages over the Network
</para>
</section> -->
+
+ </section>
+ <section id="s1-configuring_rsyslog_on_a_logging_server">
+ <title>Configuring rsyslog on a Logging Server</title>
+ <para>
+ The <systemitem class="service">rsyslog</systemitem> service provides facilities both for running a logging server and for configuring individual systems to send their log files to the logging server. See <xref linkend="ex-net_forwarding_with_queue" /> for information on client rsyslog configuration.
+ </para>
+ <para>
+ The <systemitem class="service">rsyslog</systemitem> service must be installed on the system that you intend to use as a logging server and all systems that will be configured to send logs to it. Rsyslog is installed by default in &MAJOROSVER;. If required, to ensure that it is, enter the following command as <systemitem class="username">root</systemitem>:
+ </para>
+ <screen>~]# <command>yum install rsyslog</command></screen>
+ <para>
+ The steps in this procedure must be followed on the system that you intend to use as your logging server. All steps in this procedure must be made as the <systemitem>root</systemitem> user:
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Configure the firewall to allow <systemitem>rsyslog</systemitem> <systemitem class="protocol">TCP</systemitem> traffic.
+ </para>
+ <substeps>
+ <step>
+ <para>
+ The default port for <systemitem class="service">rsyslog</systemitem> <systemitem class="protocol">TCP</systemitem> traffic is <literal>514</literal>. To allow <systemitem class="protocol">TCP</systemitem> traffic on this port, enter a command as follows:
+ </para>
+ <screen>~]# <command>firewall-cmd --zone=<replaceable>zone</replaceable> --add-port=514/tcp</command>
+success</screen>
+<para>
+Where <replaceable>zone</replaceable> is the zone of the interface to use.
+</para>
+ </step>
+ </substeps>
+ </step>
+ <step>
+ <para>
+ Open the <filename>/etc/rsyslog.conf</filename> file in a text editor and proceed as follows:
+ </para>
+ <substeps>
+ <step>
+ <para>
+ Add these lines below the modules section but above the <literal>Provides UDP syslog reception</literal> section:
+ </para>
+ <screen># Define templates before the rules that use them
+
+### Per-Host Templates for Remote Systems ###
+$template TmplAuthpriv, "/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
+$template TmplMsg, "/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"</screen>
+ </step>
+ <step>
+ <para>
+ Replace the default <literal>Provides TCP syslog reception</literal> section with the following:
+ </para>
+ <screen># Provides TCP syslog reception
+$ModLoad imtcp
+# Adding this ruleset to process remote messages
+$RuleSet remote1
+authpriv.* ?TmplAuthpriv
+*.info;mail.none;authpriv.none;cron.none ?TmplMsg
+$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
+$InputTCPServerBindRuleset remote1 #Define a new input and bind it to the "remote1" rule set
+$InputTCPServerRun 514</screen>
+ </step>
+ </substeps>
+ <para>
+ Save the changes to the <filename>/etc/rsyslog.conf</filename> file.
+ </para>
+ </step>
+ <step>
+ <para>
+ The <systemitem>rsyslog</systemitem> service must be running on both the logging server and the systems attempting to log to it.
+ </para>
+ <substeps>
+ <step>
+ <para>
+ Use the <command>systemctl</command> command to start the <systemitem>rsyslog</systemitem> service.
+ </para>
+ <screen>~]# <userinput><command>systemctl start rsyslog</command></userinput></screen>
+ </step>
+ <step>
+ <para>
+ To ensure the <systemitem>rsyslog</systemitem> service starts automatically in future, enter the following command as root:
+ </para>
+ <screen>~]# <userinput><command>systemctl enable rsyslog</command></userinput></screen>
+ </step>
+ </substeps>
+ </step>
+ </procedure>
+ <para>
+ Your log server is now configured to receive and store log files from the other systems in your environment.
+ </para>
+
+ <section id="sec-Using_The_New_Template_Syntax_on_a_Logging_Server">
+ <title>Using The New Template Syntax on a Logging Server</title>
+ <para>
+ Rsyslog 7 has a number of different templates styles. The string template most closely resembles the legacy format. Reproducing the templates from the example above using the string format would look as follows:
+ <screen>template(name="TmplAuthpriv" type="string"
+ string="/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
+ )
+
+template(name="TmplMsg" type="string"
+ string="/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
+ )
+ </screen>
+ </para>
+<para>
+ These templates can also be written in the list format as follows:
+ <screen>
+template(name="TmplAuthpriv" type="list") {
+ constant(value="/var/log/remote/auth/")
+ property(name="hostname")
+ constant(value="/")
+ property(name="programname" SecurePath="replace")
+ constant(value=".log")
+ }</screen>
+ <screen>template(name="TmplMsg" type="list") {
+ constant(value="/var/log/remote/msg/")
+ property(name="hostname")
+ constant(value="/")
+ property(name="programname" SecurePath="replace")
+ constant(value=".log")
+ }</screen>
+ This template text format might be easier to read for those new to rsyslog and therefore can be easier to adapt as requirements change.</para>
+ <para>
+ To complete the change to the new syntax, we need to reproduce the module load command, add a rule set, and then bind the rule set to the protocol, port, and ruleset:
+ </para>
+<screen>
+module(load="imtcp")
+
+ruleset(name="remote1"){
+ authpriv.* action(type="omfile" DynaFile="TmplAuthpriv")
+ *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")
+}
+
+input(type="imtcp" port="514" ruleset="remote1")</screen>
+ <para>
+
+ </para>
+ </section>
+
</section>
<section id="s1-using_rsyslog_modules">
<title>Using Rsyslog Modules</title>
More information about the docs-commits
mailing list