Home
Back To Top
Home
Rsyslog (rocket-fast system for log
processing) is a mechanism for forwarding system and application logs to a
receiver using syslog mechanism.
In our scenario, we have used
Rsyslog to forward System logs (kernel, dhcp, etc), Web Server and Application
Logs (eg. Apache Access, Error logs, and other application logs) to a remote
receiver.
Normally, the system logs are logged
at /var/log/messages, while the HTTP logs are logged at
/var/log/httpd/error.log and /var/log/httpd/access.log.
Configuring RSYSYLOG File
The following changes need to be
made to the /etc/rsyslog.conf file:
#Add $ModLoad imfile,
it loads the module for file forwarding
$ModLoad imfile
Provide path to the HTTP Error log
and Access log and provide a tag to each of the log to uniquely identify them
A] Example – HTTP Error logs,
$InputFileName
/var/log/httpd/error_log
$InputFileTag
httpd_error:
$InputFileStateFile
app_log1
$InputFileFacility
local7
$InputRunFileMonitor
B] Example – HTTP Access Logs,
$InputFileName
/var/log/httpd/access_log
$InputFileTag
httpd_access:
$InputFileStateFile
app_log1
$InputFileFacility
local7
$InputRunFileMonitor
C] Example – Application Logs,
$InputFileName
/Path/to application/logs
$InputFileTag
httpd_access:
$InputFileStateFile
app_log1
$InputFileSeverity
error
$InputFileFacility
local7
$InputRunFileMonitor
Edit the below line to add ‘local7.none’.
We are using local7 to forward our HTTP logs, and by adding ‘local7.none’, we
will stop writing the local7 HTTP messages to the local file /var/log/messages
*.info; mail.none;local7.none;authpriv.none;cron.none
/var/log/messages
If the messages are getting logged
to boot.log file, disable the logging for boot.log by commenting the line
#
local7.* /var/log/boot.log
At the end, add the below line, for
forwarding the local7 logs to the receiver, and provide the IP address of the
receiver
local7.* @Receiver_IP:514
Also add the below line, so that it
will send the syslog messages to the receiver, and provide the IP address of
the receiver
*.info; mail.none;
authpriv.*;cron.none @Receiver_IP:514
After making changes to the
/etc/rsyslog.conf file, perform the following steps to start/restart the
Rsyslog service:
Restart the Syslog/rsyslog service.
A] On Solaris 8 and 9 and other
Linux systems
/sbin/service syslog
restart
B] On Solaris 10
svcadm restart
system/system-log:default
C] On AIX
refresh -s syslogd
D] On HP-UX
kill -HUP 'cat
/etc/syslog.pid'
Add the below line at the top of
rsyslog.conf file, to send the rsyslog data from eth1 interface. ‘eth1’ can be
replaced with the necessary interface
$LocalHostIPIF eth1
#rsyslog v5
configuration file
# For more
information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience
problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imfile
$ModLoad imuxsock #
provides support for local system logging (e.g. via logger command)
$ModLoad
imklog # provides kernel logging support (previously done by
rklogd)
$ModLoad immark
# provides --MARK-- message capability
# Provides UDP syslog
reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog
reception
$ModLoad imtcp
$InputTCPServerRun
514
#### GLOBAL
DIRECTIVES ####
$InputFileName
/home/cloud-user/error_log
$InputFileTag
httpd_error:
$InputFileStateFile
app_log1
$InputFileSeverity
error
$InputFileFacility
local7
$InputRunFileMonitor
# Use default
timestamp format
$ActionFileDefaultTemplate
RSYSLOG_TraditionalFileFormat
# File syncing
capability is disabled by default. This feature is usually not required,
# not useful and an
extreme performance hit
#$ActionFileEnableSync
on
# Include all config
files in /etc/rsyslog.d/
$IncludeConfig
/etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel
messages to the console.
# Logging much else
clutters up the screen.
#kern.*
/dev/console
# Log anything
(except mail) of level info or higher.
# Don't log private
authentication messages!
*.info;mail.none;local7.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file
has restricted access.
authpriv.*
/var/log/secure
# Log all the mail
messages in one place.
#mail.*
-/var/log/maillog
# Log cron stuff
#cron.*
/var/log/cron
# Everybody gets
emergency messages
#*.emerg
*
# Save news errors of
level crit and higher in a special file.
#uucp,news.crit
/var/log/spooler
# Save boot messages
also to boot.log
# local7.*
/var/log/boot.log
# ### begin
forwarding rule ###
# The statement
between the begin ... end define a SINGLE forwarding
# rule. They belong
together, do NOT split them. If you create multiple
# forwarding rules,
duplicate the whole block!
# Remote Logging (we
use TCP for reliable delivery)
#
# An on-disk queue is
created for this action. If the remote host is
# down, messages are
spooled to disk and sent when it is up again.
#$WorkDirectory
/var/lib/rsyslog # where to place spool files
#$ActionQueueFileName
fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace
1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown
on # save messages to disk on shutdown
#$ActionQueueType
LinkedList # run asynchronously
#$ActionResumeRetryCount
-1 # infinite retries if host is down
# remote host is:
name/ip:port, e.g. 192.168.0.1:514, port optional
#*.*
@@remote-host:514
# ### end of the
forwarding rule ###
local7.*
@@Receiver_IP:514
*.info;mail.none;authpriv.none;cron.none
@Receiver_IP:514
authpriv.*
@@Receiver_IP1:514
Home
No comments:
Post a Comment