= Linux/Rsyslog >v8.0 = * Links [[Linux/Rsyslog/Json|Json]] , [[https://www.rsyslog.com/doc/v8-stable/configuration/index.html]] , [[http://www.liblognorm.com/files/manual/lognormalizer.html]] * [[Linux/Rsyslog/Queues]] * 2021 there is two log systems in linux journalctl (part of systemctl) and rsyslog * Rsyslog is normally used when log messages have to modified, and sent to other systems, or received from other systems. == Description of Rsyslog == * Rsyslog is an open-source high-performance logging utility. * Multithreaded log processing * TCP over SSL and TLS * Reliable Event Logging Protocol (RELP) * Flexible and configurable output formats * Filtering on all aspects of log messages == Getting latest version == * {{{ $ cd /etc/yum.repos.d/ $ wget http://rpms.adiscon.com/v8-stable/rsyslog.repo # for CentOS 7 $ wget http://rpms.adiscon.com/v8-stable/rsyslog-rhel7.repo # for RHEL 7 $ yum install rsyslog }}} == /etc/rsyslogd.conf == * rsyslog fwd messages fail-over between servers [[Linux/Rsyslog/FailOver]] * rsyslog fwd rate limiting [[Linux/Rsyslog/RateLimiting]] * conf: get local log messages logged to /dev/log {{{ module(load="imuxsock") # load module named imuxsock for receiving messages via /dev/log. # This is the default location for local programs using the syslog standard. # Replace obsolete legacy format $ModLoad imuxsock }}} * conf: listen for incoming udp log messages {{{ module(load="imudp") input(type="imudp" port="514") }}} * conf: listen for tcp log, legacy and advanced {{{ # $ModLoad imtcp # $InputTCPMaxSession 500 # This is converted to: module(load="imtcp" maxSessions="500") }}} * conf: include individual rsyslog config files {{{ # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf }}} * conf: selector and action [basic format] {{{ *.=debug /var/log/debug # the selector is *.=debug. facility.priority. # The facility indicates where the message is sent from. # The priority indicates how important the message is. # Here, any debug messages will be sent to /var/log/debug # Format [1]basic [2]basic+advanced [3]advanced # [1] mail.info /var/log/maillog # [2] mail.info action(type="omfile" file="/var/log/maillog") # [3] if prifilt("mail.info") then { action(type="omfile" file="/var/log/maillog") } }}} * conf-test: *.=debug with {{{ $ logger -p daemon.debug "This is a test." }}} * conf: Conditional Selectors, only udp input [advanced format] {{{ If $inputname == "imudp" then { Action (type="omfile" File="/var/log/udp.log") } }}} * conf-test: {{{ $ logger -p daemon.debug -n 127.0.0.1 -P 514 -d "Sending this over UDP!" }}} * conf: convert config to advanced format e.g. * message processing stop at "& ~" equal to "& stop". * old/legacy format to file and host {{{ :msg, contains, "error" /var/log/errorlog & @@remote & ~ }}} * advanced format {{{ :msg, contains, "error" { action(type="omfile" file="/var/log/errorlog") action(type="omfwd" target="remote.com" protocol="udp") stop } }}} == Rsyslog log buffering == * Location set by variable: $WorkDirectory /var/lib/rsyslog == Notes setting up Rsyslog with Datadog == * Send logs to TLS endpoint: intake.logs.datadoghq.com:10516 ==== Check for TLS connectivity and send test log message ==== echo " this is a test message for datadog $(date -Is)" | openssl s_client -showcerts -connect intake.logs.datadoghq.com:10516