<yambe:breadcrumb self="Installing rsyslog from yum repository">Rsyslog configuration</yambe:breadcrumb>

Installing rsyslog server in CentOS

Configure rsyslog server

To install rsyslog use following steps:

1. yum -y install rsyslog
2. Disable SELinux
3. Enable incoming UDP port 514 packets
4. Edit '/etc/rsyslog.conf' file as follows:
   1. Append following lines

      $template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
      
      authpriv.*      ?TmplAuth
      *.info,mail.none,authpriv.none,cron.none   ?TmplAuth
      

   2. Uncomment following lines:

      $ModLoad imudp
      $UDPServerRun 514

5. service rsyslog start
6. chkconfig rsyslog on

Note if for some reason TCP is preferable then uncomment these two lines for enabling TCP based log reception

#$ModLoad imtcp
#$InputTCPServerRun 514

Configure rsyslog client

After configuring rsyslog server, configure remote machines to send logs to rsyslog server using:

1. Install rsyslog same as in case of server
2. Edit '/etc/rsyslog.conf' file and append following configuration:

   *.* @<server>:<port>

3. service rsyslog start
4. chkconfig rsyslog on

Note if server is configured to use TCP then use:

*.* @@<server>:<port>

to send logs through TCP instead of UDP. Notice two @@ instead of one.

Steps learned from http://tecadmin.net/setup-centralized-logging-server-using-rsyslogd/ and contributed by Kiran Kollipara

Automated rsyslog server and client configuration

For automated rsyslog server and client configuration using ansible use:

---
- name: This playbook configures rsyslog server
  hosts: rsyslog_server
  remote_user: root

  tasks:
  - name: Install rsyslog package
    yum: name=rsyslog state=present
#    environment: proxy_env

  - name: Copy rsyslog configuration to rsyslog server
    copy: src=rsyslog_server.conf dest=/etc/rsyslog.conf owner=root group=root mode=644
    notify:
      - restart rsyslog 

  - name: Start rsyslog and enable it on startup
    service: name=rsyslog state=started enabled=yes


  handlers:
  - name: restart rsyslog
    service: name=rsyslog state=restarted 


- name: Configure rsyslog client
  hosts: rsyslog_clients
  remote_user: root
 
  vars:
    rsyslog_server_ips:
      - 192.168.122.105

  tasks:
  - name: Install rsyslog package
    yum: name=rsyslog state=present
#    environment: proxy_env

  - name: Copy rsyslog configuration to rsyslog client
    template: src=rsyslog_client.conf dest=/etc/rsyslog.conf owner=root group=root mode=644
    notify:
      - restart rsyslog 

  - name: Start rsyslog and enable it on startup
    service: name=rsyslog state=started enabled=yes

  handlers:
  - name: restart rsyslog
    service: name=rsyslog state=restarted 

The playbook refers to rsyslog_server.conf which should have:

# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              -/var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  -/var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          -/var/log/spooler

# Save boot messages also to boot.log
local7.*                                                -/var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"

authpriv.*      ?TmplAuth
*.info,mail.none,authpriv.none,cron.none   ?TmplAuth

Also the playbook refers to 'rsyslog_client.conf' which should have:

# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              -/var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  -/var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          -/var/log/spooler

# Save boot messages also to boot.log
local7.*                                                -/var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###


{% for rsyslog_server in rsyslog_server_ips %}

# start forwarding to {{rsyslog_server}}
$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName {{rsyslog_server}} # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
*.*       @{{rsyslog_server}}:514
# end forwarding to {{rsyslog_server}}

{% endfor %}

<yambe:breadcrumb self="Installing from source">Rsyslog configuration</yambe:breadcrumb>