rsyslog (extends BSD syslog protocol) RFC 3164 / 5424 , # are comments
$ carry rsyslog-specific directives , e.g. enabling modules (functionality like using tcp or reading a file) EVERYTHING ELSE is a "rule"
A rule has a "selector" portion and "action" portion (separated by one or more spaces or tabs) *.=crit /var/log/test.log
Actually specifies everything at the CRITICAL priority or higher
The selector specifies priorities and facilities to be handled by the specified action
this will write any priority critical messages to the file /var/adm/critical, except messages tagged (facility) kern
the last component takes precedence so the later lines trump previous configs
.=crit;kern.none /var/adm/critical .warn;mail.=info;lpr.none;uucp.!crit /dev/tty07
FACILITY (CATEGORIES)
auth
authpriv
daemon
cron
ftp
lpr
kern
mail
news
syslog
user
uucp
local0-local7
PRIORITY LEVELS emerg alert crit err warn notice info debug
mail. mail facility, any priority mail.debug mail facility, debug or higher priority (same as ) mail,news. all messages from mail or news auth.warning all security messages of warning or higher priority .info all messages from any facility except debug msgs .=info any facility, info msgs only (and not higher) .!err any facility, pri <= err only .!=alert any facility, any priority except alert .info;mail,news,authpriv.none all msgs with info or higher priority except mail, news, and authpriv
rsyslog over TCP (note rsyslogd service starts at boot by default)
apt-get install rsyslog = unnecessary on ubuntu
nano /etc/rsyslog.conf
MODULES
$ModLoad imuxsock # imuxsock - unix sockets, including the system log socket for logger
DIRECTIVES
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640 # note that rsyslog creates log files if they do not exist
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
ACTIONS (RULES)
*.debug /var/log/test.log
tail -f /var/log/test.log
service rsyslog stop service rsyslog start
logger defaults to user.notice
logger this is a message
logger specifically setting the facility.priority
logger -p user.debug this is a critical message for facility local0
nano /etc/rsyslog.conf
$ModLoad imfile # provides support for reading a text file, defaults sending into syslog $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) $KLogPath /proc/kmsg
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on # Filter duplicated messages
$FileOwner syslog $FileGroup adm $FileCreateMode 0640 # Set the default permissions for all log files (creates if not exists) $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog
$IncludeConfig /etc/rsyslog.d/*.conf # includes a series of rules files from a directory
nano /etc/rsyslog.d/test.conf
$InputFileName /var/log/test.log $InputFileTag test: $InputFileStateFile test-stat-file1 $InputFileSeverity info $InputFileFacility local6 $InputFilePollInterval 1 $InputRunFileMonitor
service rsyslog stop service rsyslog start echo "hi" > /var/log/test.log
nano /etc/rsyslog.conf
SERVER 10.10.10.25 , required mkdir 127.0.0.1 and 10.10.10.21
$ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) $KLogPath /proc/kmsg
$ModLoad imtcp $InputTCPServerRun 514 $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" . ?FILENAME
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on
$FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog
$IncludeConfig /etc/rsyslog.d/*.conf
nano /etc/rsyslog.conf
CLIENT 10.10.10.21
$ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) $KLogPath /proc/kmsg
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on # Filter duplicated messages
$FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog
. @@10.10.10.25:514
service rsyslog stop service rsyslog start logger -p user.info testing123
nano /etc/rsyslog.conf
SERVER 10.10.10.25 , required mkdir 127.0.0.1 and 10.10.10.21
$ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) $KLogPath /proc/kmsg
$ModLoad imtcp $InputTCPServerRun 514 $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" . ?FILENAME
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on
$FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog
$IncludeConfig /etc/rsyslog.d/*.conf
nano /etc/rsyslog.d/test.conf
CLIENT 10.10.10.21
$InputFileName /var/log/test.log $InputFileTag test: $InputFileStateFile test-stat-file1 $InputFileSeverity info $InputFileFacility local6 $InputFilePollInterval 1 $InputRunFileMonitor
local6.* @@10.10.10.25:514
nano /etc/rsyslog.conf
CLIENT 10.10.10.21
$ModLoad imfile # provides support for reading a text file, defaults sending into syslog $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) $KLogPath /proc/kmsg
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on # Filter duplicated messages
$FileOwner syslog $FileGroup adm $FileCreateMode 0640 # Set the default permissions for all log files (creates if not exists) $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog
$IncludeConfig /etc/rsyslog.d/*.conf
service rsyslog stop service rsyslog start echo "helloworld" > /var/log/test.log
if $programname == 'oxygen' then @@remote.logger.com:<514> & ~
http://wpollock.com/AUnix2/Logging.htm
complete/path/of/some/file
/dev/console (This is a link to the system console)
-/complete/path/of/some/file (Don't flush file each time; better performance but risks loss of some log info.)
username1[,username2 ...]
- (all logged in users)
@remotehost (e.g., @log.hcc.com; start the remote syslogd with -r option.)
|/path/to/named/pipe
(To send output to a command you must create a named pipe, say /var/lib/cmd.pipe with the mkfifo command. Then start the command with cmd </var/lib/cmd.pipe.)
p.s. I comment out the |/dev/xconsole lines at the end of /etc/rsyslog.d/50-default.conf