Linux Configuration for rsyslog central log host
(5 June 2012)
I converted from syslog-ng to rsyslog because I found a web-based analyzer at http://loganalyzer.adiscon.com/.
This appears to be related to the rsyslog project but a separate company will take your money for support purposes if you want to give it to them.
This is rsyslog 3.22.1 (which is ancient but what is currently in CentOS 5.x).
# Let Everything In
$AllowedSender UDP, 72.x.x.128/25, 173..x.x.0/24, 172.16.0.0/12
$AllowedSender TCP, 72.x.x.128/25, 173..x.x.0/24, 172.16.0.0/12# TCP/UDP listening
$InputTCPServerRun 514# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat# Provides kernel logging support (previously done by rklogd)
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock# Turn Off "Last message repeated..."
$RepeatedMsgReduction off# Log all kernel messages to the console.
# Logging much else clutters up the screen.#kern.* /dev/console# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.debug;mail.none;authpriv.none;cron.none /var/log/messages# The authpriv file has restricted access.
authpriv.* /var/log/secure# Log all the mail messages in one place.
# Log cron stuff
cron.* /var/log/cron# Everybody gets emergency messages
*.emerg *# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
*.* :ommysql:127.0.0.1,Syslog,mysqluser,mysqluserpassword# Custom destinations
- the rHOSTS in the file definition is to separate these from the syslog-ng records, which are still present.
- The $RepeatedMsgReduction doesn't seem to affect output. This is a problem because the "last message repeated" isn't fully formed as to which server sent you the message and it shows up weird in the web interface.
I suspect that loganalyzer will melt under the load I currently aim at the syslog server (averaging around half a million lines per day) but time will tell.