For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > rsyslog > v3 config

v3 config

Created by dave. Last edited by dave, 5 years and 148 days ago. Viewed 1,430 times. #2
[diff] [history] [edit] [rdf]
labels
attachments

Linux Configuration for rsyslog central log host

(5 June 2012)

I converted from syslog-ng to rsyslog because I found a web-based analyzer at >>http://loganalyzer.adiscon.com/. This appears to be related to the rsyslog project but a separate company will take your money for support purposes if you want to give it to them.

This is rsyslog 3.22.1 (which is ancient but what is currently in CentOS 5.x).

# Let Everything In
$AllowedSender UDP, 72.x.x.128/25, 173..x.x.0/24, 172.16.0.0/12
$AllowedSender TCP, 72.x.x.128/25, 173..x.x.0/24, 172.16.0.0/12

# TCP/UDP listening $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514

# Use traditional timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Provides kernel logging support (previously done by rklogd) $ModLoad imklog # Provides support for local system logging (e.g. via logger command) $ModLoad imuxsock

# Turn Off "Last message repeated..." $RepeatedMsgReduction off

# Log all kernel messages to the console. # Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.debug;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access. authpriv.* /var/log/secure

# Log all the mail messages in one place. mail.* -/var/log/maillog

# Log cron stuff cron.* /var/log/cron

# Everybody gets emergency messages *.emerg *

# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

# MySQL. $ModLoad ommysql *.* :ommysql:127.0.0.1,Syslog,mysqluser,mysqluserpassword

# Custom destinations $template DynFile,"/var/log/rHOSTS/%fromhost-ip%/debug-%$year%-%$month%-%$day% *.* ?DynFile

Comments:

  • the rHOSTS in the file definition is to separate these from the syslog-ng records, which are still present.
  • The $RepeatedMsgReduction doesn't seem to affect output. This is a problem because the "last message repeated" isn't fully formed as to which server sent you the message and it shows up weird in the web interface.
I suspect that loganalyzer will melt under the load I currently aim at the syslog server (averaging around half a million lines per day) but time will tell.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt