Rsyslog

Common

Default configuration: /etc/rsyslog.conf
Additional conf files: /etc/rsyslog.d/
By default the .conf file dumps to: /var/log/

See 'man logger' for additional information.

Facility keywords

• https://en.wikipedia.org/wiki/Syslog

0		kern
1		user
2		mail
3		daemon
4		auth
5		syslog
6		lpr
7		news
8		uucp
9		cron
10		authpriv
11		ftp
12		ntp
13		security
14		console
15		solaris-cron
16-23		local0 - local7

Severity levels

0		emerg
1		alert
2		crit
3		err
4		warning
5		notice
6		info
7		debug

Logging examples

# facility.severity
*.*
syslog.warning

# Output to a file
kern.warning /var/log/kern-asdzxcqwe.txt
local0.error /var/log/wewuzerrors.txt

# Output to UDP server and port
auth.warning @10.0.98.103:514

# Output to TCP server and port
*.info @@10.0.98.103:10514

# Use the logger tool to test your configuration
logger -p local0.error 'Hello World!'
logger -p auth.warning 'Look mom! I failed to login'

Configuration

Activation

# /etc/rsyslog.conf
# Activate the imudp or imtcp module to receive logs from clients

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="10514")

Log clients to the local server

# /etc/rsyslog.d/62-VLAN069-logging.conf
# Dynamically create file based on hostname, year, month and day within /var/log/syslog_clients/
template(name="RemoteHosts2" type="string" string="/var/log/syslog_clients/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log")

# Remove logs containing unwanted content
if $msg contains 'unmarshall_sec_desc' then /dev/null
&~

# Filter out the local server hostname so only clients remain
if $fromhost == 'rsyslog-server' then {
stop
}

# Trigger the RemoteHosts2 template - only for clients within the specific subnet
if $fromhost-ip startswith '192.168.69' then {
*.* action(type="omfile" dynaFile="RemoteHosts2")
}

Elasticsearch logging - Omelasticsearch

Installation

# Install the omelasticsearch module
yum install rsyslog-elasticsearch -y

Configuration

# /etc/rsyslog.d/51-omelasticsearch.conf
# Load the omelastic module
module(load="omelasticsearch")

# Create a template and define Elastic properties
template(name="elastic-json" type="list") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")      property(name="timegenerated" dateFormat="rfc3339")
      constant(value="\",\"@version\":\"1")
      constant(value="\",\"IP\":\"")           property(name="fromhost-ip")
      constant(value="\",\"host\":\"")         property(name="hostname")
      constant(value="\",\"message\":\"")      property(name="msg" format="json")
    constant(value="\"}\n")
}

#/etc/rsyslog.d/61-VLAN001-logging.conf
# Trigger the elastic-json template - sending the specified logs/properties to the Elastic server index, but only for clients within this specific subnet
if $fromhost-ip startswith '10.0.1' then {
# Activate Omelasticsearch template
*.* action(type="omelasticsearch"
    server="10.0.1.2"
    serverport="9200"
    template="elastic-json"
    searchIndex="<ELASTIC-INDEX-TO-SEND-LOGS-TO>"
    bulkmode="on"
    queue.type="linkedlist"
    queue.size="5000"
    queue.dequeuebatchsize="300"
    errorfile="/var/log/rsyslog2elasticsearch-errors.log"
    action.resumeretrycount="-1"
    uid="<SYSLOG-USER>"
    pwd="<SYSLOG-USER-PASSWORD>"
)
}

Syslog client configuration

Linux

Linux#Syslog

Cumulus Linux

https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-37/Layer-3/Virtual-Routing-and-Forwarding-VRF/#services-in-vrfs

# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send all logs of severity warning, to target syslog server and port, via interface vlan33
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Device="vlan33" Port="514" Protocol="udp")

Cumulus#Syslog

Cisco

• https://kyletk.com/post/2/cisco-ios-and-nexus-log-all-configuration-commands

IOS

service timestamps log datetime
service sequence-numbers
logging trap 6
logging facility local7
login on-succes log
login on-failure log
logging 10.25.60.11
logging on

archive
 log config
  logging enable
  logging size 250
  notify syslog contenttype plaintext
  hidekeys

# Specify interface if necessary:
logging source-interface gigabitEthernet 0

# Log to syslog-server via a vrf interface
logging host 172.16.5.2 vrf Mgmt-intf

# Log via specific vrf interface
logging source-interface GigabitEthernet0 vrf Mgmt-intf

Cisco#Syslog

NX-OS

service timestamps log datetime
logging level local7 6
login on-failure log
login on-success log
logging origin-id hostname
logging level authpriv 5
logging server 10.22.0.2 6 use-vrf management facility local7
logging level aaa 6

Cisco:NX-OS#Syslog

Fortinet

# Test logging capability
diag log test

Fortinet#Syslog