RSYSLOG - Configuration: Difference between revisions

From IT-Arts.net
← Older edit
m Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "
No edit summary
 
Line 3: Line 3:
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


== rsyslog Configuration ==


== Configuration Files ==
=== Main Configuration File ===
The primary configuration file for rsyslog is:
<nowiki>
/etc/rsyslog.conf</nowiki>


Rsyslog is primarily configured through the `/etc/rsyslog.conf` file and the `/etc/rsyslog.d/` directory, where additional configuration files can be placed. The main configuration file `/etc/rsyslog.conf` controls global settings, while the files in `/etc/rsyslog.d/` allow modular configuration.
This file contains the global configuration settings, including modules to load, default logging rules, and file paths for logs.


== Main Configuration File ==
The configuration file is divided into two sections:
 
* Global Directives
The main configuration file contains global settings, input modules, and output modules. Here’s an example of a basic configuration file:
* Rules for logging


Example of rsyslog.conf structure:
  <nowiki>
  <nowiki>
# /etc/rsyslog.conf
module(load="imuxsock")  # Unix socket input module
module(load="imklog")    # Kernel log input module
*.* /var/log/syslog      # Log all messages to syslog</nowiki>


# Load the necessary modules
=== Logging Facilities and Priorities ===
module(load="imuxsock")        # Unix socket for local syslog messages
Rsyslog uses facilities and priorities to categorize log messages.
module(load="imklog")          # Kernel logging module


# Global settings
* Facilities: Define the source of the log messages (e.g., kernel, mail, auth, daemon).
global(workDirectory="/var/spool/rsyslog")
* Priorities: Define the severity of the message (e.g., debug, info, warning, error, crit, alert, emerg).
 
# Define template for log file formatting
template(name="LogFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%\n")
 
# Default logging rules for local logs
*.* /var/log/syslog;LogFormat
 
# Remote logging configuration
*.* @remote.syslog.server:514</nowiki>
 
== Modular Configuration ==
 
For better organization and flexibility, you can add custom configurations in the `/etc/rsyslog.d/` directory. Each file within this directory contains specific configurations for different log sources or destinations.
 
Example of a custom file for remote logging (`/etc/rsyslog.d/remote.conf`):


Example:
  <nowiki>
  <nowiki>
# /etc/rsyslog.d/remote.conf
*.info;mail.none;authpriv.none  /var/log/messages
 
daemon.*               /var/log/daemon.log</nowiki>
# Send all logs to a remote syslog server
*.* @logserver.example.com:514</nowiki>
 
== Input Modules ==


Input modules are responsible for receiving log messages from various sources. Rsyslog includes several input modules for different use cases, such as local logging, remote logging, and logging from specific applications.
== Log File Rotation ==


== Local Syslog Messages ==
=== Log Rotation with logrotate ===
Log files managed by rsyslog are usually rotated by the `logrotate` utility.


The `imuxsock` module is used for receiving local syslog messages through Unix domain sockets.
Logrotate can be configured to rotate log files based on size, age, or other criteria. The configuration file is:
<nowiki>/etc/logrotate.conf</nowiki>


A sample configuration for rotating rsyslog logs:
  <nowiki>
  <nowiki>
module(load="imuxsock")  # Load the module for local syslog messages</nowiki>
/var/log/syslog
{
    weekly
    rotate 4
    compress
    delaycompress
    notifempty
    create 640 root adm
}</nowiki>


== Kernel Log Messages ==
=== Periodic Rotation Control ===
Rsyslog sends logs to the specified files, and `logrotate` handles their rotation. The default configuration is:
* Rotate logs weekly
* Keep 4 rotated logs
* Compress older logs


The `imklog` module is used for reading kernel log messages (i.e., messages generated by the Linux kernel).
== Remote Logging ==


<nowiki>
=== Sending Logs to Remote Servers ===
module(load="imklog")  # Load the kernel log module</nowiki>
Rsyslog can forward logs to remote servers for centralized logging.
 
== Remote Log Reception ==
 
Rsyslog supports receiving log messages from remote systems over UDP, TCP, or RELP. To enable remote logging reception, use the `imtcp` or `imudp` module.
 
Example of receiving logs over UDP:


The configuration for sending logs to a remote syslog server:
  <nowiki>
  <nowiki>
module(load="imudp")  # Load UDP input module
*.* @remote-server.example.com:514</nowiki>
input(type="imudp" port="514")  # Listen on UDP port 514</nowiki>


Example of receiving logs over TCP:
This sends all logs to a remote syslog server using the default UDP port 514.


For TCP:
  <nowiki>
  <nowiki>
module(load="imtcp")  # Load TCP input module
*.* @@remote-server.example.com:514</nowiki>
input(type="imtcp" port="514")  # Listen on TCP port 514</nowiki>
 
== File Input ==


The `imfile` module can be used to read logs from specific files.
The double `@` symbol indicates that TCP should be used instead of UDP.


=== Receiving Logs from Remote Servers ===
To receive logs from remote servers, configure rsyslog to listen for remote log messages by modifying the configuration:
  <nowiki>
  <nowiki>
module(load="imfile") # Load the imfile module to read log files
module(load="imudp")
input(type="imfile" File="/var/log/myapp.log" Tag="myapp" Severity="info")</nowiki>
input(type="imudp" port="514")</nowiki>
 
== Output Modules ==


Output modules are used to direct log messages to different destinations, such as files, remote servers, or databases.
This configuration enables the receiving of logs on port 514 via UDP. Use `imtcp` for TCP connections.


== Local File Logging ==
== Advanced Filtering and Log Routing ==


Logs can be directed to local files using output rules in the configuration file. For example, to store all logs in `/var/log/syslog`, you can use the following configuration:
=== Filtering Log Messages ===
Rsyslog provides powerful filtering capabilities based on facility, priority, and content.


Example of filtering based on message content:
  <nowiki>
  <nowiki>
*.* /var/log/syslog</nowiki>
if $msg contains 'error' then /var/log/error.log</nowiki>


You can also use templates to format log messages before writing them to files. For example, using the previously defined `LogFormat` template:
This rule logs any message containing the word 'error' into `/var/log/error.log`.


Filtering by severity:
  <nowiki>
  <nowiki>
*.* /var/log/syslog;LogFormat</nowiki>
*.info;*.notice;*.warn    /var/log/general.log</nowiki>
 
== Remote Syslog Logging ==


To send logs to a remote syslog server, the following configuration is used. You can specify either UDP or TCP as the transport protocol.  
This will route messages with `info`, `notice`, or `warn` levels to the `/var/log/general.log` file.


Example for UDP:
=== Using Custom Templates ===
Rsyslog allows creating custom log formats using templates.


Example of a custom template for log formatting:
  <nowiki>
  <nowiki>
*.* @remote.syslog.server:514  # Send logs to a remote server using UDP</nowiki>
template(name="CustomTemplate" type="string" string="%timestamp %hostname %syslogtag %msg\n")
*.* /var/log/custom.log;CustomTemplate</nowiki>


Example for TCP:
This template defines how each log message will be formatted when written to the file.


<nowiki>
== Security Concepts ==
*.* @@remote.syslog.server:514  # Send logs to a remote server using TCP</nowiki>


The `@` symbol indicates UDP, while `@@` indicates TCP.
=== Log File Permissions ===
It's crucial to restrict access to log files to prevent unauthorized users from reading or tampering with logs.


== Database Logging ==
Set appropriate permissions on log files:
<nowiki>
chmod 640 /var/log/syslog</nowiki>


Rsyslog supports logging directly to databases, such as MySQL, PostgreSQL, or SQLite, using the `ommysql` or `ompgsql` modules. Example for logging to a MySQL database:
This ensures only the root and adm groups have read access.


<nowiki>
=== Protecting Remote Logs ===
module(load="ommysql")  # Load MySQL output module
When sending logs to a remote server, it is essential to ensure that the communication is secure.
action(type="ommysql" server="localhost" database="syslog" user="rsyslog" password="password")
</nowiki>
== JSON Logging ==
 
Rsyslog can format and output logs as JSON. This is useful for integration with other systems or for structured logging. Here’s an example of how to format logs as JSON and write them to a file:


To encrypt log transmission with TLS, use the `imtcp` and `omfwd` modules:
  <nowiki>
  <nowiki>
template(name="jsonTemplate" type="list") {
module(load="imtcp")
    constant(value="{")
input(type="imtcp" port="514" tls="on" tls.caCert="/etc/rsyslog.d/ca.crt" tls.keyFile="/etc/rsyslog.d/private.key" tls.certFile="/etc/rsyslog.d/certificate.crt")</nowiki>
    constant(value="\"timestamp\":\"")      property(name="timegenerated")
    constant(value="\",\"hostname\":\"")    property(name="hostname")
    constant(value="\",\"message\":\"")      property(name="msg")
    constant(value="\"}")
}


*.* /var/log/syslog.json;jsonTemplate</nowiki>
This ensures that logs sent to remote servers are encrypted.


== Filtering and Log Level Control ==
=== Rate Limiting and Throttling ===
 
Rsyslog supports rate-limiting to prevent log flooding and potential DoS (Denial of Service) attacks.
Rsyslog provides extensive filtering capabilities, allowing you to control the flow of log messages based on various criteria, such as severity, facility, or even specific content within the message.
 
== Severity Filtering ==
 
You can filter log messages based on their severity level. The standard syslog severity levels are: `emerg`, `alert`, `crit`, `err`, `warning`, `notice`, `info`, and `debug`.
 
Example to log only `err` and higher severity messages to `/var/log/errors.log`:


To limit the rate of log messages:
  <nowiki>
  <nowiki>
*.err /var/log/errors.log</nowiki>
$RuleSetRateLimitInterval 60
 
$RuleSetRateLimitBurst 100</nowiki>
== Facility Filtering ==
 
Syslog messages are also categorized by their facility, such as `auth`, `daemon`, `cron`, `kern`, and more. You can filter based on the facility as well.


Example to log only `auth` facility messages:
This will limit incoming logs to 100 messages per minute per source.


<nowiki>
== Troubleshooting ==
auth.* /var/log/auth.log</nowiki>


== Message Content Filtering ==
=== Logs Not Appearing in the Correct File ===
 
If log messages are not appearing in the expected log file:
Rsyslog allows you to filter logs based on specific content within the message. For example, to log only messages containing the string "error":
* Check the rsyslog configuration file (`/etc/rsyslog.conf`) for syntax errors.
* Ensure there is a corresponding file path defined in the configuration.
* Verify that `logrotate` is not interfering with log permissions.


Example of checking if the configuration file is valid:
  <nowiki>
  <nowiki>
if $msg contains 'error' then /var/log/error_messages.log</nowiki>
rsyslogd -N1</nowiki>


You can also use regular expressions for more advanced pattern matching:
This command will test the configuration file for syntax errors.


=== Rsyslog Not Receiving Remote Logs ===
If rsyslog is not receiving remote logs:
* Check that the `imudp` or `imtcp` module is loaded.
* Verify that rsyslog is listening on the correct port:
  <nowiki>
  <nowiki>
if $msg =~ /.*critical.*/ then /var/log/critical.log</nowiki>
ss -tuln | grep 514</nowiki>
* Ensure the firewall is configured to allow incoming traffic on port 514.


== Advanced Topics ==
=== High CPU Usage by Rsyslog ===
 
High CPU usage may occur if rsyslog is processing too many messages or is stuck in a loop.
== Rate Limiting ==
 
To prevent log flooding, Rsyslog supports rate limiting of log messages. You can configure it to drop messages exceeding a certain rate or delay processing.


Check if rsyslog is consuming excessive CPU:
  <nowiki>
  <nowiki>
module(load="imrate")  # Load the rate-limiting module
top -p $(pidof rsyslogd)</nowiki>
ruleset(name="RateLimit") {
    action(type="omfile" file="/var/log/rate_limited.log" rate="100" burst="200")
}</nowiki>
 
== TLS Encryption for Remote Logging ==


For secure remote logging over TCP, you can configure TLS encryption using the `gtls` module. Here’s an example of setting up encrypted logging to a remote server:
Look for patterns such as large volumes of incoming logs or recursive processing loops.


<nowiki>
== Useful Links ==
module(load="gtls")  # Load the TLS module
global(transport="tls")  # Set the global transport to TLS
*.* @@remote.syslog.server:6514  # Send logs securely over TLS to the remote server</nowiki>


== Log Rotation and Archiving ==
* https://www.rsyslog.com/
* https://man7.org/linux/man-pages/man5/rsyslog.conf.5.html
* https://www.rsyslog.com/doc/
* https://www.thegeekdiary.com/how-to-configure-rsyslog-to-send-and-receive-logs-to-and-from-remote-servers/
* https://www.digitalocean.com/community/tutorials/how-to-use-rsyslog-for-centralized-logging-on-ubuntu-18-04
* https://www.kernel.org/doc/Documentation/networking/rsyslog.txt


Log rotation and archiving are usually managed by external tools like `logrotate`. However, you can configure Rsyslog to handle log file rotation within the `rsyslog.conf` itself using the `maxLogSize` option:
----


<nowiki>
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''
$MaxMessageSize 64k  # Set the maximum size for log messages</nowiki>

Latest revision as of 09:36, 17 January 2026


Return to Wiki Index

rsyslog Configuration

Main Configuration File

The primary configuration file for rsyslog is: 

/etc/rsyslog.conf

This file contains the global configuration settings, including modules to load, default logging rules, and file paths for logs.

The configuration file is divided into two sections:

  • Global Directives
  • Rules for logging

Example of rsyslog.conf structure: 

module(load="imuxsock")  # Unix socket input module
module(load="imklog")    # Kernel log input module
*.* /var/log/syslog       # Log all messages to syslog

Logging Facilities and Priorities

Rsyslog uses facilities and priorities to categorize log messages.

  • Facilities: Define the source of the log messages (e.g., kernel, mail, auth, daemon).
  • Priorities: Define the severity of the message (e.g., debug, info, warning, error, crit, alert, emerg).

Example: 

*.info;mail.none;authpriv.none  /var/log/messages
daemon.*                /var/log/daemon.log

Log File Rotation

Log Rotation with logrotate

Log files managed by rsyslog are usually rotated by the `logrotate` utility.

Logrotate can be configured to rotate log files based on size, age, or other criteria. The configuration file is: 

/etc/logrotate.conf

A sample configuration for rotating rsyslog logs: 

/var/log/syslog
{
    weekly
    rotate 4
    compress
    delaycompress
    notifempty
    create 640 root adm
}

Periodic Rotation Control

Rsyslog sends logs to the specified files, and `logrotate` handles their rotation. The default configuration is:

  • Rotate logs weekly
  • Keep 4 rotated logs
  • Compress older logs

Remote Logging

Sending Logs to Remote Servers

Rsyslog can forward logs to remote servers for centralized logging.

The configuration for sending logs to a remote syslog server: 

*.* @remote-server.example.com:514

This sends all logs to a remote syslog server using the default UDP port 514.

For TCP: 

*.* @@remote-server.example.com:514

The double `@` symbol indicates that TCP should be used instead of UDP.

Receiving Logs from Remote Servers

To receive logs from remote servers, configure rsyslog to listen for remote log messages by modifying the configuration: 

module(load="imudp")
input(type="imudp" port="514")

This configuration enables the receiving of logs on port 514 via UDP. Use `imtcp` for TCP connections.

Advanced Filtering and Log Routing

Filtering Log Messages

Rsyslog provides powerful filtering capabilities based on facility, priority, and content.

Example of filtering based on message content: 

if $msg contains 'error' then /var/log/error.log

This rule logs any message containing the word 'error' into `/var/log/error.log`.

Filtering by severity: 

*.info;*.notice;*.warn    /var/log/general.log

This will route messages with `info`, `notice`, or `warn` levels to the `/var/log/general.log` file.

Using Custom Templates

Rsyslog allows creating custom log formats using templates.

Example of a custom template for log formatting: 

template(name="CustomTemplate" type="string" string="%timestamp %hostname %syslogtag %msg\n")
*.* /var/log/custom.log;CustomTemplate

This template defines how each log message will be formatted when written to the file.

Security Concepts

Log File Permissions

It's crucial to restrict access to log files to prevent unauthorized users from reading or tampering with logs.

Set appropriate permissions on log files: 

chmod 640 /var/log/syslog

This ensures only the root and adm groups have read access.

Protecting Remote Logs

When sending logs to a remote server, it is essential to ensure that the communication is secure.

To encrypt log transmission with TLS, use the `imtcp` and `omfwd` modules: 

module(load="imtcp")
input(type="imtcp" port="514" tls="on" tls.caCert="/etc/rsyslog.d/ca.crt" tls.keyFile="/etc/rsyslog.d/private.key" tls.certFile="/etc/rsyslog.d/certificate.crt")

This ensures that logs sent to remote servers are encrypted.

Rate Limiting and Throttling

Rsyslog supports rate-limiting to prevent log flooding and potential DoS (Denial of Service) attacks.

To limit the rate of log messages: 

$RuleSetRateLimitInterval 60
$RuleSetRateLimitBurst 100

This will limit incoming logs to 100 messages per minute per source.

Troubleshooting

Logs Not Appearing in the Correct File

If log messages are not appearing in the expected log file:

  • Check the rsyslog configuration file (`/etc/rsyslog.conf`) for syntax errors.
  • Ensure there is a corresponding file path defined in the configuration.
  • Verify that `logrotate` is not interfering with log permissions.

Example of checking if the configuration file is valid: 

rsyslogd -N1

This command will test the configuration file for syntax errors.

Rsyslog Not Receiving Remote Logs

If rsyslog is not receiving remote logs:

  • Check that the `imudp` or `imtcp` module is loaded.
  • Verify that rsyslog is listening on the correct port:
ss -tuln | grep 514
  • Ensure the firewall is configured to allow incoming traffic on port 514.

High CPU Usage by Rsyslog

High CPU usage may occur if rsyslog is processing too many messages or is stuck in a loop.

Check if rsyslog is consuming excessive CPU: 

top -p $(pidof rsyslogd)

Look for patterns such as large volumes of incoming logs or recursive processing loops.

Return to Wiki Index

Retrieved from "https://it-arts.net/index.php?title=RSYSLOG_-_Configuration&oldid=1098"