1. Prerequisite environment
- Server: Ubuntu18.04
- Client: linux system development board
- Ensure that the server and client are in the same LAN
2. Log level
- emerg, panic (emergency): level 0 - this is the lowest log level, the system is unusable.
- Alert (Alert): Level 1 - Immediate action must be taken.
- Error (error): Level 3 - critical situation.
- WARNING (WARNING): Level 4 - Warning condition.
- Notification (Notification): Level 5 - Normal but important condition.
- info (information): Level 6 - Informational messages.
- debug(Debugging): Level 7 - This is the highest level - debugging level messages.
3. Configuration
3.1. Install rsyslog
sudo apt-get install rsyslog
3.2. After installation, check the service to see if it is running
sudo service rsyslog status
3.3. Modify the configuration file
sudo vim /etc/rsyslog.conf
3.4. Uncomment the lines bound to the udp and tcp ports according to the requirements:
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
3.4.1, supplementary instructions
If you want to restrict access to a specific subnet, IP or domain, add the following:
$AllowedSender TCP, 127.0.0.1, 192.168.10.0/24, *.example.com
The above line can be added after the input(type="imtcp" port="514") line, remember to replace the given value with the correct value.
3.5. Create a new template for receiving remote messages
Let's create a template that instructs the rsyslog server how to store incoming syslog messages, add the template before the GLOBAL DIRECTIVES section
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& stop
The received logs will be parsed using the above template and stored in the directory /var/log/remote. The file naming follows the convention: %HOSTNAME% and %PROGRAMNAME% variables, namely: the client hostname and the client tool that generated the log message .
& stop instructs the rsyslog daemon to only store log messages to the specified file (some people also use & ~).
Other variables that can be used include:
%syslogseverity%, %syslogfacility%, %timegenerated%, %HOSTNAME%, %syslogtag%, %msg%, %FROMHOST-IP%, %PRI%, %MSGID%, %APP-NAME% , %TIMESTAMP%, % year year%, %yearmonth%, %$day%
3.6, complete configuration
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& stop
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
3.7. Restart the rsyslog service after the configuration is complete
sudo systemtcl restart rsyslog
3.8. Confirm whether the service is listening to the configured port:
ss -tunelp | grep 514
3.9. Test whether the port can be communicated on the client side
nc -vuz 192.168.3.99 514
3.10, configure Rsyslog firewall
If your ufw firewall service is running, allow the rsyslog firewall port:
sudo ufw allow 514/tcp
sudo ufw allow 514/udp
4. Configure Rsyslog as a client (I didn't use this configuration, I used a script)
4.1. After completing the configuration of the rsyslog server, go to the rsyslog client computers and configure them to send logs to the remote rsyslog server:
sudo vim /etc/rsyslog.conf
4.2. FQDN is allowed to be reserved:
$PreserveFQDN on
4.3. Finally, add the remote rsyslog server:
4.3.1, udp sending log
*.* @ip-address-of-rsysog-server:514
It is also possible to use the FQDN instead of the server IP address:
*.* @fqdn-of-rsysog-server:514
4.3.2, tcp sending log
The above line will allow sending logs over UDP because tcp uses @@ instead of a single @:
*.* @@ip-address-of-rsysog-server:514
or:
*.* @@fqdn-of-rsysog-server:514
4.4. When the rsyslog server is shut down, add the following:
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
4.5. Then restart the rsyslog service:
sudo service rsyslog restart