RSYSLOG - Configuration

Return to Wiki Index

Rsyslog is primarily configured through the `/etc/rsyslog.conf` file and the `/etc/rsyslog.d/` directory, where additional configuration files can be placed. The main configuration file `/etc/rsyslog.conf` controls global settings, while the files in `/etc/rsyslog.d/` allow modular configuration.

The main configuration file contains global settings, input modules, and output modules. Here’s an example of a basic configuration file:

# /etc/rsyslog.conf

# Load the necessary modules
module(load="imuxsock")        # Unix socket for local syslog messages
module(load="imklog")          # Kernel logging module

# Global settings
global(workDirectory="/var/spool/rsyslog")

# Define template for log file formatting
template(name="LogFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%\n")

# Default logging rules for local logs
*.* /var/log/syslog;LogFormat

# Remote logging configuration
*.* @remote.syslog.server:514

For better organization and flexibility, you can add custom configurations in the `/etc/rsyslog.d/` directory. Each file within this directory contains specific configurations for different log sources or destinations.

Example of a custom file for remote logging (`/etc/rsyslog.d/remote.conf`):

# /etc/rsyslog.d/remote.conf

# Send all logs to a remote syslog server
*.* @logserver.example.com:514

Input modules are responsible for receiving log messages from various sources. Rsyslog includes several input modules for different use cases, such as local logging, remote logging, and logging from specific applications.

The `imuxsock` module is used for receiving local syslog messages through Unix domain sockets.

module(load="imuxsock")  # Load the module for local syslog messages

The `imklog` module is used for reading kernel log messages (i.e., messages generated by the Linux kernel).

module(load="imklog")  # Load the kernel log module

Rsyslog supports receiving log messages from remote systems over UDP, TCP, or RELP. To enable remote logging reception, use the `imtcp` or `imudp` module.

Example of receiving logs over UDP:

module(load="imudp")  # Load UDP input module
input(type="imudp" port="514")  # Listen on UDP port 514

Example of receiving logs over TCP:

module(load="imtcp")  # Load TCP input module
input(type="imtcp" port="514")  # Listen on TCP port 514

The `imfile` module can be used to read logs from specific files.

module(load="imfile")  # Load the imfile module to read log files
input(type="imfile" File="/var/log/myapp.log" Tag="myapp" Severity="info")

Output modules are used to direct log messages to different destinations, such as files, remote servers, or databases.

Logs can be directed to local files using output rules in the configuration file. For example, to store all logs in `/var/log/syslog`, you can use the following configuration:

*.* /var/log/syslog

You can also use templates to format log messages before writing them to files. For example, using the previously defined `LogFormat` template:

*.* /var/log/syslog;LogFormat

To send logs to a remote syslog server, the following configuration is used. You can specify either UDP or TCP as the transport protocol.

Example for UDP:

*.* @remote.syslog.server:514  # Send logs to a remote server using UDP

Example for TCP:

*.* @@remote.syslog.server:514  # Send logs to a remote server using TCP

The `@` symbol indicates UDP, while `@@` indicates TCP.

Rsyslog supports logging directly to databases, such as MySQL, PostgreSQL, or SQLite, using the `ommysql` or `ompgsql` modules. Example for logging to a MySQL database:

module(load="ommysql")  # Load MySQL output module
action(type="ommysql" server="localhost" database="syslog" user="rsyslog" password="password")

Rsyslog can format and output logs as JSON. This is useful for integration with other systems or for structured logging. Here’s an example of how to format logs as JSON and write them to a file:

template(name="jsonTemplate" type="list") {
    constant(value="{")
    constant(value="\"timestamp\":\"")       property(name="timegenerated")
    constant(value="\",\"hostname\":\"")     property(name="hostname")
    constant(value="\",\"message\":\"")      property(name="msg")
    constant(value="\"}")
}

*.* /var/log/syslog.json;jsonTemplate

Rsyslog provides extensive filtering capabilities, allowing you to control the flow of log messages based on various criteria, such as severity, facility, or even specific content within the message.

You can filter log messages based on their severity level. The standard syslog severity levels are: `emerg`, `alert`, `crit`, `err`, `warning`, `notice`, `info`, and `debug`.

Example to log only `err` and higher severity messages to `/var/log/errors.log`:

*.err /var/log/errors.log

Syslog messages are also categorized by their facility, such as `auth`, `daemon`, `cron`, `kern`, and more. You can filter based on the facility as well.

Example to log only `auth` facility messages:

auth.* /var/log/auth.log

Rsyslog allows you to filter logs based on specific content within the message. For example, to log only messages containing the string "error":

if $msg contains 'error' then /var/log/error_messages.log

You can also use regular expressions for more advanced pattern matching:

if $msg =~ /.*critical.*/ then /var/log/critical.log

To prevent log flooding, Rsyslog supports rate limiting of log messages. You can configure it to drop messages exceeding a certain rate or delay processing.

module(load="imrate")  # Load the rate-limiting module
ruleset(name="RateLimit") {
    action(type="omfile" file="/var/log/rate_limited.log" rate="100" burst="200")
}

For secure remote logging over TCP, you can configure TLS encryption using the `gtls` module. Here’s an example of setting up encrypted logging to a remote server:

module(load="gtls")  # Load the TLS module
global(transport="tls")  # Set the global transport to TLS
*.* @@remote.syslog.server:6514  # Send logs securely over TLS to the remote server

Log rotation and archiving are usually managed by external tools like `logrotate`. However, you can configure Rsyslog to handle log file rotation within the `rsyslog.conf` itself using the `maxLogSize` option:

$MaxMessageSize 64k  # Set the maximum size for log messages