Requesting help to understand rsyslog logging server configuration


 
Thread Tools Search this Thread
Operating Systems Linux Requesting help to understand rsyslog logging server configuration
# 1  
Old 01-20-2017
Requesting help to understand rsyslog logging server configuration

Hi,

I am learning to configure rsyslog server. while configuring i am facing some issues.
please help me with proper rsyslog.conf configuration, by which logs are logged only at one place at log server within a particular directory with different log names.With no logging at client itself.

Configuration at server:

HTML Code:
[root@rhel7-test-3 ~]# cat /etc/rsyslog.conf
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
#$InputUDPServerBindRuleset remote

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

$template RemoteLogs, "/var/log/remoteclients/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not re                                 quired,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
why syslog server is creating folder for itself within "remote-clients"

HTML Code:
[root@rhel7-test-3 log]# ls -l remote-clients
total 0
drwx------. 2 root root 40 Jan 20 14:12 rhel7-client
drwx------. 2 root root 80 Jan 20 14:12 rhel7-test-3
HTML Code:
[root@rhel7-test-3 remote-clients]# cd rhel7-client
[root@rhel7-test-3 rhel7-client]# ls -ltr
total 8
-rw-r--r--. 1 root root 242 Jan 20 14:12 systemd.log
-rw-r--r--. 1 root root 120 Jan 20 14:12 CROND.log
from client,

HTML Code:
[root@rhel7-client ~]# logger -p mail.info "testing mail log"
then at log server,

HTML Code:
root@rhel7-test-3 rhel7-client]# ls -ltr
total 20
-rw-r--r--. 1 root root  163 Jan 20 14:13 root.log
-rw-r--r--. 1 root root  322 Jan 20 14:13 goa.log
-rw-r--r--. 1 root root  682 Jan 20 14:15 postfix.log
-rw-r--r--. 1 root root 1867 Jan 20 14:19 systemd.log
-rw-r--r--. 1 root root  918 Jan 20 14:19 CROND.log
Till it seems ok, but

From Client,
HTML Code:
[root@rhel7-client log]# logger "hello--test test-1"
[root@rhel7-client log]# tail messages
Jan 20 14:21:47 rhel7-client root: hello--test test-1
From Server,
logger message is logged at root.log
HTML Code:
[root@rhel7-test-3 rhel7-client]# more root.log
2017-01-20T14:21:47+05:30 rhel7-client root: root [1444]: logger "hello--test test-1" [0]
logger message is logged also at /var/log/messages of rsyslog server.

HTML Code:
[root@rhel7-test-3 rhel7-client]# tail /var/log/messages
Jan 20 14:21:01 rhel7-client systemd: Started Session 19 of user user1.
Jan 20 14:21:47 rhel7-client root: hello--test test-1
why it is logging thrice.

rsyslog.conf at client,


HTML Code:
[root@rhel7-client /]# cat /etc/rsyslog.conf
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
user.info /var/log/user.log
ftp.info /var/log/ftp.log
local6.err      /var/log/errorandabove
local6.=err     /var/log/onlyerror
local6.*        /var/log/alllocal6
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
*.* @192.168.234.146:514
# ### end of the forwarding rule ###
Please help to identify the issue with my configuration file.
# 2  
Old 01-20-2017
Basically, on each individual server, the only active line you need is
Code:
*.*       @syslog.my.company.server

You do the filtering/splitting on the the receiving server. If you match the message multiple times, you will record it multiple times. Do you have an example of the duplicated messages? If they are in different files, then remember that you are usually recording messages that are of the specified level and above, e.g. *.info will also pick up *.warn messages. You can specifically exclude hight levels, if that's what you want.

This link is useful. Sending Messages to a Remote Syslog Server

I would suggest using a DNS address in case you want to move your central syslog server, however some people worry that this requires the address to resolve as the rsyslogd starts, so I know that many people use a plain IP address.


I hope that this helps,
Robin
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Logging in to 100 server to test my account

I have been logging to 100 server everyday to test if I can login to the server. I created a script to ssh-copy-id to every host so next time it will be password less. Now it keeps prompting me Are you sure you want to continue connecting (yes/no)? yes This is normal for first time login.... (2 Replies)
Discussion started by: invinzin21
2 Replies

2. UNIX and Linux Applications

Logging to server to get etc/passwd file of all 300 server

i am new to scripting ,i need bash script in jump server to pull the /etc/passwd of all servers and the ssh keys are installed (3 Replies)
Discussion started by: profiles
3 Replies

3. Linux

Syslog not logging successful logging while unlocking server's console

When unlocking a Linux server's console there's no event indicating successful logging Is there a way I can fix this ? I have the following in my rsyslog.conf auth.info /var/log/secure authpriv.info /var/log/secure (1 Reply)
Discussion started by: walterthered
1 Replies

4. Shell Programming and Scripting

logging into server and excute commands

hi all, I am new to unix and unix scipting. i need a script to logging into servers and to excute some commands in each server. for eg : I tried with below script ,but cant get the desired o/p. please help with this for i in `cat serverlist` do echo $i ssh $i uname -a ; cat... (4 Replies)
Discussion started by: sudharson
4 Replies

5. Shell Programming and Scripting

logging into another server through script

Hello everybody, I have one small issue... :( When i'm trying to connect another unix box through below script.. #!/usr/bin/bash ssh $1 <<EOF Commands . . exit EOF But getting some syntax error "-sh: syntax error at line 2: `end of file' unexpected". I used to use... (2 Replies)
Discussion started by: raghu.iv85
2 Replies

6. Linux

Bought a New linux server, need help logging in

Hi, I bought a linux server, and actually all I can do now is enter through the SSH, This is my first time buying a server. When I bought a VPS before I could enter through remote desktop control, how can I do that on the server ? I need a little explanation because I am little short on info here... (1 Reply)
Discussion started by: Thehunterman
1 Replies

7. Solaris

How to change pwd during logging on ftp server?

Dear All, Could I change password while login in to ftp server(solaris 10)? I tried to use fileZilla and command prompt(window) to change my password but It can't. Do you have any suggestion ? Ps. I can't telnet and ssh to the server because of poicy for ftpuser. Thank in advance (3 Replies)
Discussion started by: unitipon
3 Replies

8. HP-UX

Issue with user logging in to HP UX Server

Hi, I wonder if anyone is able to assist me. I have a HP UX server and some HP UX workstations that has been migrated from another network. I have changed the IP Addresses and everything seems to be working fine. However, the users are complaining that they are unable to login to the UX... (1 Reply)
Discussion started by: michaelgim
1 Replies

9. Solaris

How to implement Centralized logging server

Hi, I have Sun One Application server installed on 2 Solaris servers. Currently I am getting their logs in relative server. I am using log4j for logging. Now I want to change this. I want such that I should get both S1AS's log on third server with log4j. How can I do that ? I got one idea... (0 Replies)
Discussion started by: neel.gurjar
0 Replies

10. Shell Programming and Scripting

logging to remote server

Hi, I want to log-in to a remote server using shell script. The server requires the following while allowing a connection: username password one - letter authorisation. How can i implement this in my script? thanks, abey (6 Replies)
Discussion started by: abey
6 Replies
Login or Register to Ask a Question