Configure a syslog server with rsyslog on Ubuntu

A syslog server represents a central log monitoring point on a network, to which all kinds of devices including Linux or Windows servers, routers, switches or any other hosts can send their logs over network. By setting up a syslog server, you can filter and consolidate logs from different hosts and devices into a single location, so that you can view and archive important log messages more easily.

In this tutorial, we cover how to configure a centralized syslog server using rsyslog on Linux. Before we go into the details, it is instructive to go over syslog standard first.

Basic of Syslog Standard

When logs are collected with syslog mechanism, three important things must be taken into consideration:

  • Facility level: what type of processes to monitor
  • Severity (priority) level: what type of log messages to collect
  • Destination: where to send or record log messages

The facility levels define a way to categorize internal system processes. Some of the common standard facilities in Linux are:

  • auth: messages related to authentication (login)

  • cron: messages related to scheduled processes or applications
  • daemon: messages related to daemons (internal servers)
  • kernel: messages related to the kernel
  • mail: messages related to internal mail servers
  • syslog: messages related to the syslog daemon itself
  • lpr: messages related to print servers
  • local0 - local7: messages defined by user (local7 is usually used by Cisco and Windows servers)

The severity (priority) levels are standardized, and defined by using standard abbreviation and an assigned number with number 7 being the highest level of all. These levels are:

  • emerg: Emergency - 0

  • alert: Alerts - 1
  • crit: Critical - 2
  • err: Errors - 3
  • warn: Warnings - 4
  • notice: Notification - 5
  • info: Information - 6
  • debug: Debugging – 7

Finally, the destination statement enforces a syslog client to perform one of three following tasks: (1) save log messages on a local file, (2) route them to a remote syslog server over TCP/UDP, or (3) send them to stdout such as a console.

In rsyslog, syslog configuration is structured based on the following schema.

[facility-level].[severity-level]  [destination]

Configure Rsyslog on Ubuntu

Step One: Initial System Requirements

To set up a Linux host as a central log server, we need to create a separate /var partition, and allocate a large enough disk size or create a LVM special volume group. That way, the syslog server will be able to sustain the exponential growth of collected logs over time.

Step Two: Enable Rsyslog Daemon

rsyslog daemon comes pre-installed on modern Linux distributions, but is not enabled by default. To enablersyslog daemon to receive external messages, edit its configuration file located in /etc/rsyslog.conf.

Once the file is opened for editing, search and uncomment the below two lines by removing the # sign from the beginning of lines.

$ModLoad imudp

$UDPServerRun 514

This will enable rsyslog daemon to receive log messages on UDP port 514. UDP is way faster than TCP, but does not provide reliability on data flow the same way as TCP does. If you need to reliable delivery, you can enable TCP by uncommenting the following lines.

$ModLoad imtcp

$InputTCPServerRun 514

Note that both TCP and UDP can be set on the server simultaneously to listen on TCP/UDP connections.

Step Three: Create a Template for Log Receipt

In the next step we need to create a template for remote messages, and tell rsyslog daemon how to record messages received from other client machines.

Open /etc/rsyslog.conf with a text editor, and append the following template before the GLOBAL DIRECTIVES block:

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *

*.*  ?RemoteLogs

& ~

This template needs a little explanation. The $template RemoteLogs directive ("RemoteLogs" string can be changed to any other descriptive name) forces rsyslog daemon to write log messages to separate local log files in /var/log/, where log file names are defined based on the hostname of the remote sending machine as well as the remote application that generated the logs. The second line ("*.* ?RemoteLogs") implies that we apply RemoteLogs template to all received logs.

The "& ~" sign represents a redirect rule, and is used to tell rsyslog daemon to stop processing log messages further, and not write them locally. If this redirection is not used, all the remote messages would be also written on local log files besides the log files described above, which means they would practically be written twice. Another consequence of using this rule is that the syslog server‘s own log messages would only be written to dedicated files named after machine‘s hostname.

If you want, you can direct log messages with a specific facility or severity level to this new template using the following schema.

[facility-level].[severity-level]    ?RemoteLogs

For example:

Direct all internal authentication messages of all priority levels to RemoteLogs template:

authpriv.*   ?RemoteLogs 
Direct informational messages generated by all system processes, except mail, authentication and cron messages to RemoteLogs template:
*.info,mail.none,authpriv.none,cron.none    ?RemoteLogs
If we want all received messages from remote clients written to a single file named after their IP address, you can use the following template. We assign a new name "IpTemplate" to this template.
$template IpTemplate,"/var/log/%FROMHOST-IP%.log"  *.*  ?IpTemplate
& ~ 
After we have enabled rsyslog daemon and edited its configuration file, we need to restart the daemon.
$ sudo service rsyslog restart
We can verify that rsyslog daemon is functional by using netstat command.
$ sudo netstat -tulpn | grep rsyslog
The output may look like the following:

tcp         0      0      0.0.0.0:514             0.0.0.0:*            LISTEN      3267/rsyslogd  
tcp6       0      0      :::514                      :::*                    LISTEN      3267/rsyslogd  
udp        0      0      0.0.0.0:514             0.0.0.0:*                             3267/rsyslogd  
udp6      0      0      :::514                      :::*                                     3267/rsyslogd

Step Four: Check Log File

If you receive remote log file, it should be located at /var/log.

Reference

时间: 2024-10-12 04:40:44

Configure a syslog server with rsyslog on Ubuntu的相关文章

How to configure dns slave server in Linux

A DNS server, or name server, is used to resolve an IP address to a hostname or vice versa.You can set up four different types of DNS servers: A master DNS server for your domain(s), which stores authoritative records for your domain. A slave DNS ser

Ubuntu Server 14.04升级Ubuntu Server 16.04

Ubuntu Server 14.04升级Ubuntu Server 16.04 :转 http://blog.csdn.net/chszs 1.终端下执行命令 $ sudo apt-get update && sudo apt-get dist-upgrade 2.重启系统以完成更新的安装 $ sudo init 6 3.用命令安装更新管理器核心update-manager-core,如果服务器已安装则可以跳过 $ sudo apt-get install update-manager-

Kiwi Syslog server 日志服务器搭建

Kiwi syslog server 是一款很不错的日志服务器软件,安装过程就不多说,Linux 服务器日志由于本身就是syslog的,所以不用转换,但是windows 系统的日志格式是event形式的,需要转换为syslog形式的日志. 一.windows 主机安装evtsys 首先需要下载evtsys这个日志转换工具,分为32位和64的系统,将evtsys复制进windows 主机的C:\windows\system32 目录下.然后在cmd命令行进入该目录,执行 Evtsys.exe –I

kiwi syslog server 破解

windows server 2008 R2 Enterprise 系统环境 kiwi syslog server 安装过程就不再赘述,按照提示下一步完成,但这里需要提出的是,kiwi syslog server的两种安装方式,这将会影响到之后的破解方法. 1.as service 2.as application 大体的步骤:setup安装后,再hotfix热补,最后进行注册 热补的安装,旨在解决server内存高与日志mismatch的问题 需要注意的是,Kiwi不管 作为service安装

Configure SVN (Subversion) Server

Note: It may need root user permissions to execute following commands. (1) Install needed packages yum install mod_dav_svn subversion In my PC, packages that were installed are Note: if you are going to visit SVN repository via http, you shall have a

解决You must configure either the server or JDBC driver (via the serverTimezone configuration property) to use a more specifc time zone value if you want to utilize time zone support问题

错误提示:Cause: org.springframework.jdbc.CannotGetJdbcConnectionException: Could not get JDBC Connection; nested exception is java.sql.SQLException: The server time zone value '?й???????' is unrecognized or represents more than one time zone. You must co

搭建elk server通过rsyslog展示nginx和php日志

一.系统和所需软件版本介绍 系统版本:centos 6.5 64位 软件版本:jdk-8u60-linux-x64.tar.gz.elasticsearch-2.4.2.tar.gz.logstash-2.4.1.tar.gz.kibana-4.6.3-linux-x86_64.tar.gz 二.安装java环境 1)解压jdk软件压缩包. tar -zxvf jdk-8u60-linux-x64.tar.gz 2)在/etc/profile文件的最后边,添加下边这几行,设置一下环境变量. ex

Setup and Configure the vsftpd server in CentOS 7 operation system

############################################################################## 1. close the firewall service =====THE COMMAND YOU CAN TYPE INTO YOUR CONSOLE====== #systemctl stop firewalld.service                     //stop the firewall service #syst

SolarWinds Kiwi Syslog Server+ MSSQL 日志服务器

Kiwi Syslog是属于SolarWinds的基于Windows的日志服务器,相信部分朋友都用过SolarWinds的管理软件,功能非常强大,有兴趣的朋友可以上其官网了解 http://www.solarwinds.cn. 今天我们主要是讲Syslog服务器,网上也能搜索到相当多的教程,但都只是讲到将日志保存为文件.试想一下,一年下来就有三百多个文件,如果某天真要通过日志排查故障,要从几百个文本文档中找到有用信息,光想想就觉得头痛了. 本文将介绍将日志信息保存到MSSQL数据库,通过开发We