December 7, 2016

Remote Logging With Syslog, Part 2: Main Config File

remote-logging.jpg

rsyslog
Part 2 of our rsyslog series takes a detailed look at the main config file.

In the previous article, we looked at some of the basics of rsyslog -- a superfast Syslog tool with some powerful features for log processing. Here, I’ll be taking a detailed look at the main config file. Let’s dive right in.

Something to note -- in case this causes you issues in the future -- is that although the entries found in our main config file (/etc/rsyslog.conf) are read from the top down, the order in which they are presented does in fact make a difference.

Run this command inside the /etc directory:

# ls rsys*

rsyslog.conf  rsyslog.d/

The main config file is called rsyslog.conf, whereas the rsyslog.d/ is the directory where you save your other configuration files. Looking in the rsyslog.conf file, we use a type of $IncludeConfig statement to pick up any files with the .conf extension that reside in that directory, as follows:

# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

These user-defined configs might include remote logging to a rsyslog server.

You can include an individual file, too, or indeed a whole directory (no matter the file extensions), as follows:

$IncludeConfig /etc/rsyslog.d/chris-binnie-config.conf

$IncludeConfig /etc/rsyslog.d/

What does our main config file look like inside, though? Listing 1 shows that the file includes lots of useful comments and the heart of our rsyslog config in addition. Bear in mind that this file defines local logging in most cases. However if you’re turning your local server into a recipient Syslog server too then you also add config to set that live there too. Note that after each config change you will need to restart the daemon as we will see shortly.

#  /etc/rsyslog.conf    Configuration file for rsyslog.

#

#                       For more information see

#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################

#### MODULES ####

#################


$ModLoad imuxsock # provides support for local system logging

$ModLoad imklog   # provides kernel logging support

#$ModLoad immark  # provides --MARK-- message capability


# provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514


# provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514


###########################

#### GLOBAL DIRECTIVES ####

###########################


#

# Use traditional timestamp format.

# To enable high precision timestamps, comment out the following line.

#

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat


#

# Set the default permissions for all log files.

#

$FileOwner root

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022


#

# Where to place spool and state files

#

$WorkDirectory /var/spool/rsyslog


#

# Include all config files in /etc/rsyslog.d/

#

$IncludeConfig /etc/rsyslog.d/*.conf


###############

#### RULES ####

###############


#

# First some standard log files. Log by facility.

#

auth,authpriv.*                 /var/log/auth.log

*.*;auth,authpriv.none     -/var/log/syslog

#cron.*                            /var/log/cron.log

daemon.*                        -/var/log/daemon.log

kern.*                             -/var/log/kern.log

lpr.*                                -/var/log/lpr.log

mail.*                              -/var/log/mail.log

user.*                             -/var/log/user.log


#

# Logging for the mail system. Split it up so that

# it is easy to write scripts to parse these files.

#

mail.info                       -/var/log/mail.info

mail.warn                       -/var/log/mail.warn

mail.err                        /var/log/mail.err


#

# Logging for INN news system.

#

news.crit                       /var/log/news/news.crit

news.err                        /var/log/news/news.err

news.notice                     -/var/log/news/news.notice


#

# Some "catch-all" log files.

#

*.=debug;\

       auth,authpriv.none;\

       news.none;mail.none     -/var/log/debug

*.=info;*.=notice;*.=warn;\

       auth,authpriv.none;\

       cron,daemon.none;\

       mail,news.none          -/var/log/messages


#

# Emergencies are sent to everybody logged in.

#

*.emerg                         :omusrmsg:*


#

# I like to have messages displayed on the console, but only on a virtual

# console I usually leave idle.

#

#daemon,mail.*;\

#       news.=crit;news.=err;news.=notice;\

#       *.=debug;*.=info;\

#       *.=notice;*.=warn       /dev/tty8


# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,

# you must invoke `xconsole' with the `-file' option:

#

#    $ xconsole -file /dev/xconsole [...]

#

# NOTE: adjust the list below, or you'll go crazy if you have a reasonably

#      busy site..

#

daemon.*;mail.*;\

       news.err;\

       *.=debug;*.=info;\

       *.=notice;*.=warn       |/dev/xconsole

Listing 1:The default Debian “rsyslog.conf” is shown; other flavors vary, some more than others.

Careful consideration has been programmed into this excellent software. It’s worth noting that there might be subtle config differences between versions so employ lookup differences online to compare notes between the older or newer syntax.

We’ll start by separating our view of rsyslog’s config into three parts. These parts would be any imported modules first of all, our config second and finally our rules.

Logging MARK entries

I’ll begin with a look at using modules. There are several different types of modules, but here’s an example to get you started. Simply think of the Input Modules as a way of collecting information from different sources. Output Modules are essentially how the logs are written, whether to files or a network socket. Another module type, which can be used to filter the received message’s content, is called a Parser Module.

As we can see from the top of the config file in Listing 1, we can load up our default modules as so:

$ModLoad imuxsock # provides support for local system logging

$ModLoad imklog     # provides kernel logging support

The comments are hopefully self-explanatory. The first module allows the dropping of logs to our local disks and if I’m reading the docs correctly the second module picks up events and drops them to “dmesg” after a system boot has completed and kernel logging has been taken over by the Syslog daemon.

The following commented-out line is for the “immark” module, which can be very useful in some circumstances:

#$ModLoad immark  # provides --MARK-- message capability

For example, I’ve used it frequently when I’m filling the /var/log/messages file up with several entries a second whilst testing something. In addition to using the functionality in scripts, I like to be able to type a Bash alias super quickly in the file ~/.bashrc during my testing:

alias mes=’/usr/bin/logger xxxxxxxxx’

If you add that alias then you can simply type “mes” at the command prompt, as your user, to add a separator in the “messages” file. If you haven’t altered your .bashrc file in the past, then after changing it you need to do this to refresh it.

# cd ~

# . .bashrc

I’m not sure but I suspect that the --MARK-- separators, alluded to in the comment after the module’s config entry, were first introduced to add a line to a log file to show you that Syslog was still running if there has been no logging entries present for a little while.

You could add the markers to your logs every 20 minutes, for example, if your logs are quiet (using this entry

$MarkMessagePeriod      1200 

I imagine, too, that it might be useful functionality, if you have rotated your logs in the middle of the night and then need to see that Syslog was still paying attention to the task in hand shortly after that point in time.

We can see the other modules are commented out. I’ll briefly mention modules later, but let’s continue on through our config file in the meantime.

The Global Directives section in Listing 1 is not too alien I hope. Look at this, for example, the top entry:

# Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Directives start with a dollar sign, as a variable, and then have an associated property. From that entry, you can see that we’re still wearing 1970s flared trousers and opting to go traditional with the format of the our of logging.

The “permissions” entries there probably isn’t too tricky to translate either:

$FileOwner root

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

When rsyslog runs we can alter who owns what and which file-creation mask is used. The working directory and “$IncludeConfig” entries are hopefully easy enough to follow so let’s keep moving forwards. Next time, we’ll get our hands a bit dirtier with some logfile rules and then finish up with some networking considerations.

Chris Binnie is a Technical Consultant with 20 years of Linux experience and a writer for Linux Magazine and Admin Magazine. His new book Linux Server Security: Hack and Defend teaches you how to launch sophisticated attacks, make your servers invisible and crack complex passwords.

Advance your career in system administration! Check out the Essentials of System Administration course from The Linux Foundation.

Click Here!