Linux Admin Quick Reference – Configuration of Syslog and Rsyslog – Redhat Enterprise Linux

In Red Hat Enterprise Linux 3/4/5, the default system log tool is syslogd which is provided by package sysklogd, but since Red Hat Enterprise Linux 6, the rsyslogd became the default. rsyslog package is also provided since Red Hat Enterprise Linux 5.2.

1.Configuring Syslog for centralized logging in a network [RHEL3/4/5]

The syslogd daemon can be configured to send messages for all logging levels or individual levels to one or more syslog servers. Configuration changes are generally required on both client and server to achieve this.

Syslog Centralized Log Server Configuration (messages destination server):

Change SYSLOGD_OPTIONS to allow syslogd to listen on the network for log messages.  Edit /etc/sysconfig/syslog file to add the -r option:

    SYSLOGD_OPTIONS=”-r -m 0″

After the file has been saved, the syslogd service needs to be restarted:

    # service syslog restart

Ensure that port 514 UDP is open to allow connections to enter your firewall (below is an example):

    # iptables -I INPUT -p udp –dport 514 -j ACCEPT
    # service iptables save

  
Syslog Client Configuration (messages source servers):

Configure the /etc/syslog.conf file on the syslog client to send messages to the centralized log server.  Below are 2 different examples:

To configure a client to send all messages to the centralized server (Replace hostname with the IP address or hostname of the syslog server):

*.*         @hostname

To only send a standard set of logs to the remote server:

    *.info;mail.none;authpriv.none;cron.none      @hostname

Now restart the syslog service on the client:

    # service syslog restart

Testing remote syslog logging:

Test sending a log message by running the following command on the syslog client locally

    # logger “***** THIS IS A TEST *****”

The log messages from the logger command should be found in /var/log/messages of the centralized log server.

2.Migrating system logging configuration from syslog to rsyslog environment

rsyslogd could run as a compatibility mode, the main purpose is to keep compatible with the old syslogd. The only thing you need to do is copy the configuration files of syslogd to rsyslogd environment.

1. Copy the configuration files

# cp /etc/syslog.conf /etc/rsyslog.conf
# cp /etc/sysconfig/syslog /etc/sysconfig/rsyslog

2. Edit the new rsyslog.conf and add this line (Otherwise kernel messages will not be logged)

$ModLoad imklog.so     # provides kernel logging support (previously done by rklogd)

If you did not modify /etc/logrotate.d/syslog we do not need to copy it cause both the package provide the file with same contents.
3. Stop the syslogd

# service syslog stop
# chkconfig syslog off

4. Start the rsyslogd

# service rsyslog start
# chkconfig rsyslog on

5. About log format

The rsyslogd almost has same log format as syslogd, but there are still differences, if you want to keep the log format totally the same as syslogd, please use the pre-defined template RSYSLOG_TraditionalFileFormat.

cron.*      /var/log/cron;RSYSLOG_TraditionalFileFormat

Note: Don’t miss the “;” here.

3.Configure remote logging with rsyslog [ RHEL5/RHEL6]

 

In RHEL-6 rsyslog is default logging daemon, In RHEL-5 rsyslog is available but not installed by default.

Install rsyslog

# yum install rsyslog  

To configure rsyslog using TCP:

Configure the remote server to accept remote log messages using TCP

Uncomment the following lines in the MODULES section of /etc/rsyslog.conf:

$ModLoad imtcp.so  
$InputTCPServerRun 514

Restart rsyslog.

[root@server ~]# service rsyslog restart

Configure the rsyslog server to send rsyslog events to another server using TCP.

Add the following line to the RULES section of /etc/rsyslog.conf:

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host:514
*.*         @@10.10.10.1:514

You can also specify the severity to send, for example info messages:

*.info      @@10.10.10.1:514

Restart rsyslog

[root@system ~]# service rsyslog restart

To configure rsyslog using UDP:

Configure the remote server to accept remote log messages using UDP.

Uncomment the following lines in the MODULES section of /etc/rsyslog.conf:

# Provides UDP syslog reception  
$ModLoad imudp.so  
$UDPServerRun 514

Restart rsyslog.

[root@server ~]# service rsyslog restart

Configure the rsyslog server to send rsyslog events to another server using UDP

Add the following line to the RULES section of /etc/rsyslog.conf:

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host:514
*.*         @10.10.10.1:514

You can also specify the severity to send, for example info messages:

*.info      @10.10.10.1:514

Restart rsyslog.

[root@system ~]# service rsyslog restart

Test the configuration:

On rsyslog server sending out the messages:

[root@server1 ~]# logger Test from system  
[root@server1 ~]# tail /var/log/messages  
Jun 25 00:00:01 system root: Test from system

On rsyslog remote server receiving the messages:

[root@server2 ~]# tail /var/log/messages  
Dec 25 00:00:01 system root: Test from system

Configure rsyslog to generate a separate log file for each host 

Open and edit the configuration file /etc/rsyslog.conf to add the following lines right at the top of the file:

$ModLoad imudp.so
$UDPServerAddress <IP of rsyslog server>
$UDPServerRun 514

$template DynFile,”/var/log/system-%HOSTNAME%.log”
*.* -?DynFile
& ~

Configure rsyslog to generate a separate log file for each host  along with date of creation (year-month-day), modify the template as shown below:

$template DynFile,”/var/log/syslog/system-%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%-messages.log”
*.* -?DynFile
& ~

Configure rsyslog to generate a separate log file for each host and prevent rsyslog server itself logging in to a single file, modify the template as shown below:

$template DynFile,”/var/log/syslog/system-%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%-messages.log”
:fromhost-ip,!isequal,”127.0.0.1″ -?DynFile
& ~

Configure rsyslog to generate a separate folder for each host :

$template DynFile,”/var/log/syslog/system-%HOSTNAME%/messages.log”
*.* -?DynFile
& ~

4. Configuring SELINUX to allow rsyslogd to write in custom log files.

Security context of customized file should match with the context of /var/log.

$ ls -aZ  /var/log/messages
-rw——-. root root system_u:object_r:var_log_t:s0   /var/log/messages

Change the security context of the custom log file like :

$ semanage fcontext -a -f -d -t var_log_t  <custom_log_file>

Note that you may have to recursively set this context like :

$ semanage fcontext -a -t var_log_t “/cutom_log(/.*)?”

$ restorecon -R -v

If system doesn’t have semanage command, please install its package like :

$ yum install policycoreutils-python

Alternatively we can also copy the context of file  /var/log to  <customlog file>  e.g: /var/tmp/newlog

$ chcon -R -t var_log_t   <custom_log_file or dir>

4.Configure Filters for a specific IP / a program generated in server messages file

 

Note : Default syslog cannot do not have any advanced filtering. Use rsyslog for filtering.

Discard filter for a host.  Edit /etc/rsyslog.conf and add the below discard filter. For rsyslog version 2 3 and 4 use the below.

    :msg, contains, “xx.xx.xx.xx”    ~

Discard filter  for a program :  use below to discard logs for xx.xx.xx.xx IP. Below is for vsftpd

if $programname == ‘vsftpd’ and ($msg contains ‘xx.xx.xx.xx’ or $msg contains ‘xx.xx.xx.xx’) then ~

Note : Place the filters on the top and not at the bottom of the file.

4. Configuring apache access logs to a remote or local syslog server

 

Apache does not support logging access log to syslog by default. To  accomplish this you have to use a simple Perl script with the default installed

module:  Perl module Sys::Syslog

Configuring procedure:

1) Add the following line to the Apache httpd.conf file:

         CustomLog |/usr/local/apache/bin/apache_syslog combine

          2) The /usr/local/apache/bin/apache_syslog is a script and the source is the one below.

This script must be located in /usr/local/apache/bin/apache_syslog and mast be executable

         #!/usr/bin/perl
         use Sys::Syslog qw( :DEFAULT setlogsock );
         setlogsock(‘unix’);
         openlog(‘apache’, ‘cons’, ‘pid’, ‘local1’);
         while ($log = <STDIN>) {
         syslog(‘notice’, $log);
         }
         closelog

3) In the /etc/syslog.conf define the “local1” facility as the remote syslog server you are centralizing the logs:

*.*        @local1

4) Last step is to restart syslog and httpd service .

        service syslog restart
     service httpd restart

Note:  In Apache, access logs are handled by a seperate module called ‘module mod_log_config’ instead of syslog.

 

We can configure this module to send logs to remote server with below procedure:

A) First, Edit the Apache config file “/etc/httpd/conf/httpd.conf” and add the CustomLog directives with the following examples.

This will send all apache logs to the syslog facility local6.

CustomLog “|/usr/bin/logger -p local6.info” combined

          B) Edit the syslog config “/etc/syslog.conf” on the server to send all logs tagged as “local6.info” to the log server ‘1.2.3.4’.

local6.info  @1.2.3.4

               Replace  ‘1.2.3.4’ with the IP address of remote syslog server.

          C) Make sure that the httpd access do not go to /var/log/messages on the local system.

To do this, Modify the following in /etc/syslog.conf:

     FROM:

          *.info;mail.none;authpriv.none;cron.none  /var/log/messages
           

     TO:

          *.info;mail.none;authpriv.none;cron.none;local6.!=info  /var/log/messages

D) Last step is to restart syslog and httpd service .

          service syslog restart
          service httpd restart   

5. Rotating System Log Files

 

The rotation of log files can be done with the logrotate utility. logrotate is designed to simplify administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large.

The /etc/logrotate.conf is the main configuration file for log rotation. The set in file of /etc/logrotate.d/ will overwrite the set in /etc/logrotate.conf. This file is pretty self explanatory. Some important values to keep in mind:

 

# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

Normally, logrotate is run as a daily cron job. It will not modify a log multiple times in one day unless the criteria for a log is based on the logs size and logrotate is being run multiple times each day.

Example  1 : To change the log setting for CUPS, follow the steps below:’

Step 1 : Edit /etc/logrotate.d/cups file and add the following lines:

rotate <count>

# Log files are rotated times before being removed If count is 0, old versions are removed rather then rotated.

size <size>

# Log files are rotated when they grow bigger then size bytes. If the size is followed by M, the size is assumed to be in megabytes. If the k is used, the size is in kilobytes. So the size 100, size 100k, and size 100M are all valid.

compress

# Old versions of log files are compressed with gzip by default.

The file should look similar to the following:

/var/log/cups/*_log {
missingok
notifempty
size 100k # log files will be rotated when they grow bigger that 100k.
rotate 5 # will keep the logs for 5 weeks.
compress # log files will be compressed.
sharedscripts
postrotate
/etc/init.d/cups condrestart >/dev/null 2>1 || true
endscript
}

Modifying the above file will only work when the next log rotation takes place. You can run a test run to make sure this works with the following.

# logrotate -f /etc/logrotate.conf

Example 2 : Steps for specific system log file rotate

create file “secure” in /etc/logrotate.d/ directory and append below entries –

[root@linuxserver logrotate.d]# vi /etc/logrotate.d/secure

### Config syslog secure log file separately

/var/log/secure {
monthly
minsize 1M
rotate 3
missingok
# compress
dateext
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
ifempty
}

System log files are defined in /etc/logrotate.d/syslog file, as defining /var/log/secure separately so need to remove it from syslog.

[root@linuxserver logrotate.d]# more /etc/logrotate.d/syslog
/var/log/cron
/var/log/secure         <——— remove this line
/var/log/maillog
/var/log/messages
/var/log/spooler
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

Modifying the above file will only work when the next log rotation takes place.

 6. Configuring vsftpd logs to remote log server

1. Edit the file /etc/vsftpd/vsftpd.conf and add the following line:

syslog_enable=YES

2. Restart vsftpd service.

service vsftpd restart

3. Edit /etc/rsyslog.conf and add the following line.

For UDP:

ftp.* @remote-hostname

For TCP:

ftp.* @@remote-hostname
or

ftp.* /var/log/ftp.log

4. Restart rsyslog service.

# service rsyslog restart

NOTE: Replace remote-hostname with the actual hostname of the remote log server, and we use one @ for UDP and @@ for TCP communicate.

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

2 Responses

  1. Many thanks RAM…..! Excellent Guidelines…..Really Practical.

  1. September 16, 2015

    […] Read – Syslog and Rsyslog Quick Reference […]

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us