RSYSLOG - Configuration

Return to Wiki Index

The primary configuration file for rsyslog is:

/etc/rsyslog.conf

This file contains the global configuration settings, including modules to load, default logging rules, and file paths for logs.

The configuration file is divided into two sections:

• Global Directives
• Rules for logging

Example of rsyslog.conf structure:

module(load="imuxsock")  # Unix socket input module
module(load="imklog")    # Kernel log input module
*.* /var/log/syslog       # Log all messages to syslog

Rsyslog uses facilities and priorities to categorize log messages.

• Facilities: Define the source of the log messages (e.g., kernel, mail, auth, daemon).
• Priorities: Define the severity of the message (e.g., debug, info, warning, error, crit, alert, emerg).

Example:

*.info;mail.none;authpriv.none  /var/log/messages
daemon.*                /var/log/daemon.log

Log files managed by rsyslog are usually rotated by the `logrotate` utility.

Logrotate can be configured to rotate log files based on size, age, or other criteria. The configuration file is:

/etc/logrotate.conf

A sample configuration for rotating rsyslog logs:

/var/log/syslog
{
    weekly
    rotate 4
    compress
    delaycompress
    notifempty
    create 640 root adm
}

Rsyslog sends logs to the specified files, and `logrotate` handles their rotation. The default configuration is:

• Rotate logs weekly
• Keep 4 rotated logs
• Compress older logs

Rsyslog can forward logs to remote servers for centralized logging.

The configuration for sending logs to a remote syslog server:

*.* @remote-server.example.com:514

This sends all logs to a remote syslog server using the default UDP port 514.

For TCP:

*.* @@remote-server.example.com:514

The double `@` symbol indicates that TCP should be used instead of UDP.

To receive logs from remote servers, configure rsyslog to listen for remote log messages by modifying the configuration:

module(load="imudp")
input(type="imudp" port="514")

This configuration enables the receiving of logs on port 514 via UDP. Use `imtcp` for TCP connections.

Rsyslog provides powerful filtering capabilities based on facility, priority, and content.

Example of filtering based on message content:

if $msg contains 'error' then /var/log/error.log

This rule logs any message containing the word 'error' into `/var/log/error.log`.

Filtering by severity:

*.info;*.notice;*.warn    /var/log/general.log

This will route messages with `info`, `notice`, or `warn` levels to the `/var/log/general.log` file.

Rsyslog allows creating custom log formats using templates.

Example of a custom template for log formatting:

template(name="CustomTemplate" type="string" string="%timestamp %hostname %syslogtag %msg\n")
*.* /var/log/custom.log;CustomTemplate

This template defines how each log message will be formatted when written to the file.

It's crucial to restrict access to log files to prevent unauthorized users from reading or tampering with logs.

Set appropriate permissions on log files:

chmod 640 /var/log/syslog

This ensures only the root and adm groups have read access.

When sending logs to a remote server, it is essential to ensure that the communication is secure.

To encrypt log transmission with TLS, use the `imtcp` and `omfwd` modules:

module(load="imtcp")
input(type="imtcp" port="514" tls="on" tls.caCert="/etc/rsyslog.d/ca.crt" tls.keyFile="/etc/rsyslog.d/private.key" tls.certFile="/etc/rsyslog.d/certificate.crt")

This ensures that logs sent to remote servers are encrypted.

Rsyslog supports rate-limiting to prevent log flooding and potential DoS (Denial of Service) attacks.

To limit the rate of log messages:

$RuleSetRateLimitInterval 60
$RuleSetRateLimitBurst 100

This will limit incoming logs to 100 messages per minute per source.

If log messages are not appearing in the expected log file:

• Check the rsyslog configuration file (`/etc/rsyslog.conf`) for syntax errors.
• Ensure there is a corresponding file path defined in the configuration.
• Verify that `logrotate` is not interfering with log permissions.

Example of checking if the configuration file is valid:

rsyslogd -N1

This command will test the configuration file for syntax errors.

If rsyslog is not receiving remote logs:

• Check that the `imudp` or `imtcp` module is loaded.
• Verify that rsyslog is listening on the correct port:

ss -tuln | grep 514

• Ensure the firewall is configured to allow incoming traffic on port 514.

High CPU usage may occur if rsyslog is processing too many messages or is stuck in a loop.

Check if rsyslog is consuming excessive CPU:

top -p $(pidof rsyslogd)

Look for patterns such as large volumes of incoming logs or recursive processing loops.

• https://www.rsyslog.com/
• https://man7.org/linux/man-pages/man5/rsyslog.conf.5.html
• https://www.rsyslog.com/doc/
• https://www.thegeekdiary.com/how-to-configure-rsyslog-to-send-and-receive-logs-to-and-from-remote-servers/
• https://www.digitalocean.com/community/tutorials/how-to-use-rsyslog-for-centralized-logging-on-ubuntu-18-04
• https://www.kernel.org/doc/Documentation/networking/rsyslog.txt

---

Return to Wiki Index