Rsyslog
From Cheatsheet
Jump to navigationJump to search
Common
Default configuration: /etc/rsyslog.conf
Additional conf files: /etc/rsyslog.d/
By default the .conf file dumps to: /var/log/
See 'man logger' for additional information.
Facility keywords
0 kern 1 user 2 mail 3 daemon 4 auth 5 syslog 6 lpr 7 news 8 uucp 9 cron 10 authpriv 11 ftp 12 ntp 13 security 14 console 15 solaris-cron 16-23 local0 - local7
Severity levels
0 emerg 1 alert 2 crit 3 err 4 warning 5 notice 6 info 7 debug
Logging examples
You can manipulate log-handling by performing actions: https://www.rsyslog.com/doc/configuration/actions.html
# facility.severity *.* syslog.warning # Output to a file kern.warning /var/log/kern-asdzxcqwe.txt local0.error /var/log/wewuzerrors.txt # Output to UDP server and port auth.warning @10.0.98.103:514 # Output to TCP server and port *.info @@10.0.98.103:10514 # Use the logger tool to test your configuration logger -p local0.error 'Hello World!' logger -p auth.warning 'Look mom! I failed to login'
Server configuration
Activation
# /etc/rsyslog.conf # Activate the imudp and or imtcp modules to receive logs from clients # Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html module(load="imudp") # needs to be done just once input(type="imudp" port="514") # Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html module(load="imtcp") # needs to be done just once input(type="imtcp" port="10514")
Log clients to the local server
# /etc/rsyslog.d/62-VLAN069-logging.conf
# Dynamically create file based on hostname, year, month and day within /var/log/syslog_clients/
template(name="RemoteHosts2" type="string" string="/var/log/syslog_clients/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log")
# Filter out log-messages containing unwanted content
if $msg contains 'unmarshall_sec_desc' then /dev/null
& stop
# Filter out logs coming from a specific program
if ($programname == 'python') then /dev/null
& stop
# Filter out the local server hostname so only clients remain
if $fromhost == 'rsyslog-server' then {
& stop
}
# Trigger the RemoteHosts2 template - only for clients within the specific subnet
if $fromhost-ip startswith '192.168.69' then {
*.* action(type="omfile" dynaFile="RemoteHosts2")
}
Elasticsearch logging - Omelasticsearch
Installation
# Install the omelasticsearch module yum install rsyslog-elasticsearch -y
Configuration
# /etc/rsyslog.d/51-omelasticsearch.conf
# Load the omelastic module
module(load="omelasticsearch")
# Create a template and define Elastic properties
template(name="elastic-json" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timegenerated" dateFormat="rfc3339")
constant(value="\",\"@version\":\"1")
constant(value="\",\"IP\":\"") property(name="fromhost-ip")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}\n")
}
#/etc/rsyslog.d/61-VLAN001-logging.conf
# Trigger the elastic-json template - sending the specified logs/properties to the Elastic server index, but only for clients within this specific subnet
if $fromhost-ip startswith '10.0.1' then {
# Activate Omelasticsearch template
*.* action(type="omelasticsearch"
server="10.0.1.2"
serverport="9200"
template="elastic-json"
searchIndex="<ELASTIC-INDEX-TO-SEND-LOGS-TO>"
bulkmode="on"
queue.type="linkedlist"
queue.size="5000"
queue.dequeuebatchsize="300"
errorfile="/var/log/rsyslog2elasticsearch-errors.log"
action.resumeretrycount="-1"
uid="<SYSLOG-USER>"
pwd="<SYSLOG-USER-PASSWORD>"
)
}
Client configuration
Linux
- https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates
Legacy
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf *.* @10.77.0.1:514
Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf $template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n" *.warning @10.77.0.1;SendHostname
Send messages to a syslog server, using a template aligned to IETF protocol 23
# /etc/rsyslog.d/61-qwe.conf *.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
# /etc/rsyslog.d/60-asd.conf $template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" *.* @10.77.0.1;custom_IETFprotocol_23
Log to the local server with a static hostname, using a custom structure
# /etc/rsyslog.d/62-asd.conf $template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n" *.* /var/log/wewuzerrors.txt;NewHostname
An alternative to the contents above, specifying different/more fields
## /etc/rsyslog.d/65-customtemplate.conf # https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template $template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n" *.* /var/log/wazanda.txt;mynewtemplate
Rainerscript
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html
Write all local messages to a specific file
# /etc/rsyslog.d/60-asd.conf action(type="omfile" file="/var/log/isaidhey.txt")
Send message to a syslog server using IETF protocol 23
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
# Send all logs to the target server
action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
Define a template aligned to IETF protocol 23 but specify a hostname to send as:
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
# Send all logs to target syslog server and port
action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
Testing
# Use the logger tool to test syslog server reception logger -p local0.error 'Hello World!'
Cumulus Linux
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf # Define a template and specify a hostname to send as: template(name="SendHostname" type="string" string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n" ) # Send all logs of severity warning, to target syslog server and port, via interface vlan33 *.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Device="vlan33" Port="514" Protocol="udp")
Cisco
IOS
service timestamps log datetime service sequence-numbers logging trap 6 logging facility local7 login on-succes log login on-failure log logging 10.25.60.11 logging on archive log config logging enable logging size 250 notify syslog contenttype plaintext hidekeys
# Specify interface if necessary: logging source-interface gigabitEthernet 0
# Log to syslog-server via a vrf interface logging host 172.16.5.2 vrf Mgmt-intf # Log via specific vrf interface logging source-interface GigabitEthernet0 vrf Mgmt-intf
NX-OS
service timestamps log datetime logging level local7 6 login on-failure log login on-success log logging origin-id hostname logging level authpriv 5 logging server 10.22.0.2 6 use-vrf management facility local7 logging level aaa 6
Fortinet
# Test logging capability diag log test
