Linux/Rsyslog >v8.0
Links Json , https://www.rsyslog.com/doc/v8-stable/configuration/index.html , http://www.liblognorm.com/files/manual/lognormalizer.html
- 2021 there is two log systems in linux journalctl (part of systemctl) and rsyslog
- Rsyslog is normally used when log messages have to modified, and sent to other systems, or received from other systems.
Description of Rsyslog
- Rsyslog is an open-source high-performance logging utility.
- Multithreaded log processing
- TCP over SSL and TLS
- Reliable Event Logging Protocol (RELP)
- Flexible and configurable output formats
- Filtering on all aspects of log messages
Getting latest version
$ cd /etc/yum.repos.d/ $ wget http://rpms.adiscon.com/v8-stable/rsyslog.repo # for CentOS 7 $ wget http://rpms.adiscon.com/v8-stable/rsyslog-rhel7.repo # for RHEL 7 $ yum install rsyslog
/etc/rsyslogd.conf
rsyslog fwd messages fail-over between servers Linux/Rsyslog/FailOver
rsyslog fwd rate limiting Linux/Rsyslog/RateLimiting
conf: get local log messages logged to /dev/log
module(load="imuxsock") # load module named imuxsock for receiving messages via /dev/log. # This is the default location for local programs using the syslog standard. # Replace obsolete legacy format $ModLoad imuxsock
conf: listen for incoming udp log messages
module(load="imudp") input(type="imudp" port="514")
conf: listen for tcp log, legacy and advanced
# $ModLoad imtcp # $InputTCPMaxSession 500 # This is converted to: module(load="imtcp" maxSessions="500")
conf: include individual rsyslog config files
# Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf
conf: selector and action [basic format]
*.=debug /var/log/debug # the selector is *.=debug. facility.priority. # The facility indicates where the message is sent from. # The priority indicates how important the message is. # Here, any debug messages will be sent to /var/log/debug # Format [1]basic [2]basic+advanced [3]advanced # [1] mail.info /var/log/maillog # [2] mail.info action(type="omfile" file="/var/log/maillog") # [3] if prifilt("mail.info") then { action(type="omfile" file="/var/log/maillog") }conf-test: *.=debug with
$ logger -p daemon.debug "This is a test."
conf: Conditional Selectors, only udp input [advanced format]
If $inputname == "imudp" then { Action (type="omfile" File="/var/log/udp.log") }conf-test:
$ logger -p daemon.debug -n 127.0.0.1 -P 514 -d "Sending this over UDP!"
- conf: convert config to advanced format e.g.
message processing stop at "& ~" equal to "& stop".
old/legacy format to file and host
:msg, contains, "error" /var/log/errorlog & @@remote & ~
advanced format
:msg, contains, "error" { action(type="omfile" file="/var/log/errorlog") action(type="omfwd" target="remote.com" protocol="udp") stop }
Rsyslog log buffering
Location set by variable: $WorkDirectory /var/lib/rsyslog
Notes setting up Rsyslog with Datadog
- Send logs to TLS endpoint: intake.logs.datadoghq.com:10516
Check for TLS connectivity and send test log message
echo "<DD-API> this is a test message for datadog $(date -Is)" | openssl s_client -showcerts -connect intake.logs.datadoghq.com:10516