...
| Code Block |
|---|
# /etc/rsyslog.conf configuration file for rsyslog # # For more information install rsyslog-doc and see # /usr/share/doc/rsyslog-doc/html/configuration/index.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") |
This configuration file also allows you to specify where log types go...
<MORE TO COME>
Forward logs to another service
| Code Block |
|---|
*.* @127.0.0.1:514 |
Testing Rsyslog
To listen on a port:
Figure out your interface
...
| Code Block |
|---|
$ systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2021-07-22 13:34:41 EDT; 15s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 305322 (rsyslogd)
Tasks: 10 (limit: 19045)
Memory: 6.3M
CGroup: /system.slice/rsyslog.service
└─305322 /usr/sbin/rsyslogd -n -iNONE
Jul 22 13:34:41 deepthought systemd[1]: Starting System Logging Service...
Jul 22 13:34:41 deepthought systemd[1]: Started System Logging Service.
Jul 22 13:34:41 deepthought rsyslogd[305322]: rsyslogd's groupid changed to 110
Jul 22 13:34:41 deepthought rsyslogd[305322]: rsyslogd's userid changed to 104
Jul 22 13:34:41 deepthought rsyslogd[305322]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="305322" x-info="https://www.rsyslog.c>
$ systemctl start rsyslog |
Restart
| Code Block |
|---|
$ systemctl restart rsyslog |
Forwarding to Elasticsearch
Install rsyslog-elasticsearch
| Code Block |
|---|
$ apt-get install rsyslog-elasticsearch |
Add config file for elasticsearch
| Code Block |
|---|
$ vi /etc/rsyslog.d/10-rsyslog-elasticsearch.conf |
| Code Block |
|---|
module(load="omelasticsearch") # for outputting to Elasticsearch
# this is for index names to be like: logstash-YYYY.MM.wWW (where WW is the week number)
template(name="logstash-index"
type="list") {
constant(value="logstash-")
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
constant(value=".w")
# here we use the week number to avoid creating lots of shards on Elasticsearch
property(name="timereported" dateFormat="week")
}
# permits to have the part after `/` in programname
global(parser.permitSlashInProgramName="on")
# this is for formatting our syslog in JSON with @timestamp
template(name="plain-syslog"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"programname\":\"") property(name="programname" format="json")
constant(value="\",\"procid\":\"") property(name="procid" format="json")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}")
}
# this is where we actually send the logs to Elasticsearch
action(server="127.0.0.1"
serverport="9200"
usehttps="off"
type="omelasticsearch"
template="plain-syslog"
errorfile="/tmp/rsyslog-elasticsearch-error.log"
searchIndex="logstash-index"
dynSearchIndex="on")
|
Restart
| Code Block |
|---|
$ systemctl startrestart rsyslog |
Check Status
| Code Block |
|---|
$ systemctl status rsyslog |