How to deploy an rsyslog central server in GNU/Linux

Rsyslog Central Server

Server side

The package we are gonna need to get installed is rsyslog-ng, available through main software distribution application for every distro.

The layout for our central syslog server is going to be the following:

on the server side we only need to modify /etc/rsyslog.conf by uncomment two modules and adding some rules:




#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 5514
#$UDPServerAddress 172.16.65.163

# provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 5514

We will define also a template to generate the logs from remote servers depending on the IP, and also if the process that generates the log matches with one of the processes we want, we will create a separate syslog file preceded by process name.

##############
##Templates###
##############
# This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template externalsyslog,"/home/backup/rsyslog_server/%fromhost-ip%/syslog.log"
$template TraditionalFormat,"%timegenerated% %fromhost-ip% %syslogtag%%msg:::drop-last-lf%\n"

$template filterByProgramName,"/home/backup/rsyslog_server/%fromhost-ip%/%programname%_syslog.log"

if $programname == 'process1' then ?filterByProgramName;TraditionalFormat
if $programname == 'process2' then ?filterByProgramName;TraditionalFormat
if $programname == 'process3' then ?filterByProgramName;TraditionalFormat
if $programname == 'process4' then ?filterByProgramName;TraditionalFormat
if $programname == 'process5' then ?filterByProgramName;TraditionalFormat
if $programname == 'process6' then ?filterByProgramName;TraditionalFormat
if $programname == 'process7' then ?filterByProgramName;TraditionalFormat
if $programname == 'process8' then ?filterByProgramName;TraditionalFormat

# Log all messages to the dynamically formed file. Now each clients log (172.16.65.166, 172.16.65.167,etc...), will be under a separate directory which is formed by the template FILENAME.
*.* -?externalsyslog;TraditionalFormat

We must grant the right permissions to the directory where rsyslog will be writing its logs. syslog:syslog

Clients

We must forward the syslog messages to server's IP.

#Forward log to remote server
*.* @@172.16.70.3:5514
#Forward log to localhost
*.* @@localhost:514

Logrotate

Linked to syslog server we had set logrotate to rotate the logs weekly. That is why we added the following entries to /etc/logrotate.d/rsyslog

Here we are rotating all the logs generated by different processes from every client. For example, for 172.16.65.161 we are going to be rotating syslog.log,  process2_syslog.log, process3_syslog.log, process4syslog.log, process1_syslog.log

root@ZNNH003:~# cat /etc/logrotate.d/rsyslog
/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}


/home/backup/rsyslog_server/127.0.0.1/syslog.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
/home/backup/rsyslog_server/127.0.0.1/process4_syslog.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
/home/backup/rsyslog_server/127.0.0.1/process3_syslog.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}