Sending via rsyslog

  • Rsyslog is the default syslog package that is commonly used by Linux distributions.
  • It usually consists of a configuration file (usually /etc/rsyslog.conf) and a directory (usually /etc/rsyslog.d/) to store the filters and templates for processing rsyslog rules in a structured form and separated by files.

This article describes how to manually configure rsyslog to forward the system's internal events to an external relay.

For the primary Linux distributions, this configuration can be done automatically.

Known issues

  • SSL/TLS not working in Ubuntu 12 
  • Rsyslog outdated version in Debian 5.x (Lenny) 
  • Upgrade from syslog-ng to rsyslog in CentOS 5 
  • On Fedora and RHEL systems, logs cannot be sent due to SELinux settings.

Configuration

To forward a system’s internal logs to Devo over TCP, create the following files. The 00-logtrust.conf file contains general setting options.

/etc/rsyslog.d/00-logtrust.conf

$ModLoad imfile
$ModLoad immark

$MarkMessagePeriod 60

$WorkDirectory /var/spool/rsyslog

$RepeatedMsgReduction off

#Disable imuxsock rate limit
$IMUXSockRateLimitInterval 0
$SystemLogRateLimitInterval 0
  • Make sure that the $WorkDirectory path exists and that the user running rsyslog (often syslog) has permissions over it. To find out which user runs rsyslog, run the following command: 

    rsyslog user

    ps -ouser= $(pgrep rsyslogd)
  • If it is not root it is recommended to perform the below command. Please note that in some distributions it runs by default as root and in others, a drop of privileges to syslog user is performed.

    /var/spool/rsyslog permissions

    mkdir /var/spool/rsyslog
    chown syslog:syslog /var/spool/rsyslog
    chmod 770 /var/spool/rsyslog

The 49-logtrust.conf file is responsible for forwarding the events to Devo relay:

/etc/rsyslog.d/49-logtrust.conf

$template boxunix,"<%PRI%>%timegenerated% %HOSTNAME% box.unix.%syslogtag%%msg%"

#ActionQueue section
$ActionQueueType                LinkedList
$ActionQueueFileName            ltboxq1
$ActionResumeRetryCount         -1
$ActionQueueSaveOnShutdown      on

*.*    @@LOGTRUST-RELAY:PORT;boxunix
  • This file instructs rsyslog to forward all events received from syslog to the endpoint specified in LOGTRUST-RELAY:PORT (all events that have not been removed by a previous rule).
  • The Action Queue section is optional and is used to prevent the loss of events when there has been a connectivity problem with the relay.
  • If there are other configuration files, it is recommended to process them before and leave this file as one of the last ones. Since wildcards *.* are used in this file, it should be processed after any other configuration files in order to prevent duplication of logs.

    # ls -1 /etc/rsyslog.d/
    
    -rw-r--r-- 1 root root  241 Oct 24 13:04 00-logtrust.conf
    -rw-r--r-- 1 root root  642 Oct 24 13:02 40-iptables.conf
    -rw-r--r-- 1 root root 1495 Oct 24 13:02 45-apache.conf
    -rw-r--r-- 1 root root  899 Oct 24 13:02 45-mongodb.conf
    -rw-r--r-- 1 root root  916 Oct 24 13:02 45-myapplogfile.conf
    -rw-r--r-- 1 root root  901 Oct 24 13:02 45-tomcat.conf
    -rw-r--r-- 1 root root  597 Oct 24 13:02 46-lt-monitor.conf
    -rw-r--r-- 1 root root  664 Oct 24 13:02 49-logtrust.conf

Now, restart syslog-ng to activate the new configuration:

/etc/init.d/rsyslog restart

Use the logger command to send test messages. 

$ logger "Hello from an unsecure log source1"
$ logger "Hello from an unsecure log source2"
$ logger "Hello from an unsecure log source3"
$ logger "Hello from an unsecure log source4"
$ logger "Hello from an unsecure log source5"

In the Devo web application, go to Data Search, locate the box.unix table and make sure that the logger messages appear in the table.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US