Sending via rsyslog
- Rsyslog is the default syslog package that is commonly used by Linux distributions.
- It usually consists of a configuration file (usually /etc/rsyslog.conf) and a directory (usually /etc/rsyslog.d/) to store the filters and templates for processing rsyslog rules in a structured form and separated by files.
This article describes how to manually configure rsyslog to forward the system's internal events to an external relay.
For the primary Linux distributions, this configuration can be done automatically.
- SSL/TLS not working in Ubuntu 12
- Rsyslog outdated version in Debian 5.x (Lenny)
- Upgrade from syslog-ng to rsyslog in CentOS 5
- On Fedora and RHEL systems, logs cannot be sent due to SELinux settings.
To forward a system’s internal logs to Devo over TCP, create the following files. The 00-logtrust.conf file contains general setting options.
$ModLoad imfile $ModLoad immark $MarkMessagePeriod 60 $WorkDirectory /var/spool/rsyslog $RepeatedMsgReduction off #Disable imuxsock rate limit $IMUXSockRateLimitInterval 0 $SystemLogRateLimitInterval 0
Make sure that the $WorkDirectory path exists and that the user running rsyslog (often syslog) has permissions over it. To find out which user runs rsyslog, run the following command:
ps -ouser= $(pgrep rsyslogd)
If it is not root it is recommended to perform the below command. Please note that in some distributions it runs by default as root and in others, a drop of privileges to syslog user is performed.
mkdir /var/spool/rsyslog chown syslog:syslog /var/spool/rsyslog chmod 770 /var/spool/rsyslog
The 49-logtrust.conf file is responsible for forwarding the events to Devo relay:
$template boxunix,"<%PRI%>%timegenerated% %HOSTNAME% box.unix.%syslogtag%%msg%" #ActionQueue section $ActionQueueType LinkedList $ActionQueueFileName ltboxq1 $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on *.* @@LOGTRUST-RELAY:PORT;boxunix
- This file instructs rsyslog to forward all events received from syslog to the endpoint specified in LOGTRUST-RELAY:PORT (all events that have not been removed by a previous rule).
- The Action Queue section is optional and is used to prevent the loss of events when there has been a connectivity problem with the relay.
If there are other configuration files, it is recommended to process them before and leave this file as one of the last ones. Since wildcards *.* are used in this file, it should be processed after any other configuration files in order to prevent duplication of logs.
# ls -1 /etc/rsyslog.d/ -rw-r--r-- 1 root root 241 Oct 24 13:04 00-logtrust.conf -rw-r--r-- 1 root root 642 Oct 24 13:02 40-iptables.conf -rw-r--r-- 1 root root 1495 Oct 24 13:02 45-apache.conf -rw-r--r-- 1 root root 899 Oct 24 13:02 45-mongodb.conf -rw-r--r-- 1 root root 916 Oct 24 13:02 45-myapplogfile.conf -rw-r--r-- 1 root root 901 Oct 24 13:02 45-tomcat.conf -rw-r--r-- 1 root root 597 Oct 24 13:02 46-lt-monitor.conf -rw-r--r-- 1 root root 664 Oct 24 13:02 49-logtrust.conf
Now, restart syslog-ng to activate the new configuration:
Use the logger command to send test messages.
$ logger "Hello from an unsecure log source1" $ logger "Hello from an unsecure log source2" $ logger "Hello from an unsecure log source3" $ logger "Hello from an unsecure log source4" $ logger "Hello from an unsecure log source5"
In the Devo web application, go to Data Search, locate the box.unix table and make sure that the logger messages appear in the table.