Useful references for rsyslog:
http://www.rsyslog.com/doc/omfile.html http://www.howtoforge.com/building-a-central-loghost-on-centos-and-rhel-5-with-rsyslog
Create logserver.maths.cam.ac.uk CNAME pointing at turnip.maths
on turnip.maths as root: # Stop sysklogd: service syslog stop # Install rsyslog: yum install rsyslog # Configure rsyslog to run at boot (and remove sysklogd): chkconfig syslog off chkconfig rsyslog on yum erase sysklogd
edit /etc/rsyslog.conf on turnip:
# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock
# load UDP powers, to receive messages via the UDP protocol
$ModLoad imudp
# make rsyslog listen on all ip addresses, you could specify an address
$UDPServerAddress 0.0.0.0
# make rsyslog listen on UDP port 514
$UDPServerRun 514
# make rsyslog listen on TCP port 10514 - sysklog (SL standard) sends via UDP
# to use TCP the clients need to install rsyslog
$ModLoad imtcp
$InputTCPServerRun 10514
# repeated lines will be reduced
$RepeatedMsgReduction on
# set default file permissions
$umask 0000
$FileCreateMode 0640
$FileGroup logread
$DirCreateMode 0750
$DirGroup logread
# For traditional log file format use:
# /var/log/messages;RSYSLOG_TraditionalFileFormat
# *.* -?DailyPerHostLogs;RSYSLOG_TraditionalFileFormat
if \
$fromhost == 'turnip' \
and \
$syslogseverity <= '6' \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then /var/log/messages
#authpriv.* /var/log/secure
# The authpriv file has restricted access.
#authpriv.* /var/log/secure
if \
$fromhost == 'turnip' \
and \
$syslogfacility-text == 'authpriv' \
then /var/log/secure
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# mail.* /var/log/maillog
if \
$fromhost == 'turnip' \
and \
$syslogfacility-text == 'mail' \
then /var/log/maillog
# Log cron stuff
#cron.* /var/log/cron
if \
$fromhost == 'turnip' \
and \
$syslogfacility-text == 'cron' \
then /var/log/cron
# Everybody gets emergency messages
#*.emerg *
if \
$fromhost == 'turnip' \
and \
$syslogseverity-text == 'emerg' \
then *
# this line creates a template that will store the messages for each host in a seperate file.
# a new file will be created daily because of the date in the filename.
$template DailyPerHostLogs,"/local/log/%HOSTNAME%/%HOSTNAME%.%$YEAR%-%$MONTH%-%$DAY%.log"
*.* -?DailyPerHostLogs
Create an lv on turnip for per host log files:
lvcreate -n log -L 100G TurnipSpan0 mkfs.xfs -i attr=2 -l internal,version=2 /dev/TurnipSpan0/log mkdir /local/log # fstab entry: /dev/TurnipSpan0/log /local/log xfs defaults,nosuid,nodev,uqnoenforce,gqnoenforce,noatime,context=user_u:object_r:file_t:s0 1 2 mount /local/log
Start up rsyslog
service rsyslog start # check it is working with: ls -l /local/log/
Delete log files older than 180 days and this into a file in /etc/cron.d/
11 03 * * * root /usr/bin/find /local/log/dism -type f -mtime +180 -name "*.log" -exec /bin/rm '{}' \;
/sbin/rsyslogd -c3 -dn
This just works as syslog and sysklog speak syslog-ese and log to rsyslog running on logserver.maths like so in /etc/syslog.conf:
# Send this stuff to logserver machine... auth.info @logserver.maths.cam.ac.uk authpriv.info @logserver.maths.cam.ac.uk # Added to centrally copy smartd failure messages which are logged at # daemon.crit, hopefully we won't get too much junk we don't want! daemon.crit @logserver.maths.cam.ac.uk # Send serious kernel messages to the logserver too so we get records # of things like CPU overheating etc. kern.crit @logserver.maths.cam.ac.uk
ssh from the client to another computer and back again will generate a remote log message so check it has arrived on logserver.maths
If applying this to computers then edit the default (or per host) configs at:
/alt/ssetup/sl/5x/Config/system-conf-files-byhost/ /alt/ssetup/sl/5x/Config/system-conf-files/ /alt/ssetup/sl/6x/Config/system-conf-files-byhost/ /alt/ssetup/sl/6x/Config/system-conf-files/
yum erase sysklogd yum install rsyslog chkconfig rsyslog on
Below is the rsyslog.conf for the client. Can use @@ for tcp, but we prefer @ for udp.
# Use traditional timestamp format # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Provides kernel logging support (previously done by rklogd) $ModLoad imklog # Provides support for local system logging (e.g. via logger command) $ModLoad imuxsock # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! # *.info;mail.none;authpriv.none;cron.none /var/log/messages *.info;kern.debug;mail.none;auth.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure auth.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # Send this stuff to logserver machine... auth.info @logserver.maths.cam.ac.uk:10514 authpriv.info @logserver.maths.cam.ac.uk:10514 # Added to centrally copy smartd failure messages which are logged at # daemon.crit, hopefully we won't get too much junk we don't want! daemon.crit @logserver.maths.cam.ac.uk:10514 # Send serious kernel messages to the logserver too so we get records # of things like CPU overheating etc. kern.crit @logserver.maths.cam.ac.uk:10514 # End of file!