Rsyslog Central Server
Server side
The package we are gonna need to get installed is rsyslog-ng, available through main software distribution application for every distro.
The layout for our central syslog server is going to be the following:
on the server side we only need to modify /etc/rsyslog.conf by uncomment two modules and adding some rules:
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 5514
#$UDPServerAddress 172.16.65.163
# provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 5514
We will define also a template to generate the logs from remote servers depending on the IP, and also if the process that generates the log matches with one of the processes we want, we will create a separate syslog file preceded by process name.
##############
##Templates###
##############
# This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template externalsyslog,"/home/backup/rsyslog_server/%fromhost-ip%/syslog.log"
$template TraditionalFormat,"%timegenerated% %fromhost-ip% %syslogtag%%msg:::drop-last-lf%\n"
$template filterByProgramName,"/home/backup/rsyslog_server/%fromhost-ip%/%programname%_syslog.log"
if $programname == 'process1' then ?filterByProgramName;TraditionalFormat
if $programname == 'process2' then ?filterByProgramName;TraditionalFormat
if $programname == 'process3' then ?filterByProgramName;TraditionalFormat
if $programname == 'process4' then ?filterByProgramName;TraditionalFormat
if $programname == 'process5' then ?filterByProgramName;TraditionalFormat
if $programname == 'process6' then ?filterByProgramName;TraditionalFormat
if $programname == 'process7' then ?filterByProgramName;TraditionalFormat
if $programname == 'process8' then ?filterByProgramName;TraditionalFormat
# Log all messages to the dynamically formed file. Now each clients log (172.16.65.166, 172.16.65.167,etc...), will be under a separate directory which is formed by the template FILENAME.
*.* -?externalsyslog;TraditionalFormat
We must grant the right permissions to the directory where rsyslog will be writing its logs. syslog:syslog
Clients
We must forward the syslog messages to server's IP.#Forward log to remote server
*.* @@172.16.70.3:5514
#Forward log to localhost
*.* @@localhost:514
Logrotate
Linked to syslog server we had set logrotate to rotate the logs weekly. That is why we added the following entries to /etc/logrotate.d/rsyslogHere we are rotating all the logs generated by different processes from every client. For example, for 172.16.65.161 we are going to be rotating syslog.log, process2_syslog.log, process3_syslog.log, process4syslog.log, process1_syslog.log
root@ZNNH003:~# cat /etc/logrotate.d/rsyslog
/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
/home/backup/rsyslog_server/127.0.0.1/syslog.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
/home/backup/rsyslog_server/127.0.0.1/process4_syslog.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
/home/backup/rsyslog_server/127.0.0.1/process3_syslog.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
Cap comentari:
Publica un comentari a l'entrada