Rsyslog , central configuration. Need to know

Rsyslog is now de facto the syslog engine for Ubuntu (since 10.10).

I used syslog-ng for long but know I need to update my knowledge.

1. Server

Centralizing syslog event from firewalls, appliances or other hosts to a rsyslog server is a must to have.

1. Things to think about

TCP and UDP reception is not by default turned on.
You need to load the imtcp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top.

Edit the /etc/rsyslog.conf and enable the required protocols

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Then create basic rules to forward the REMOTE events to a dedicated log file

# do this in FRONT of the local/regular rules
if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log
& ~

2. How it works

It is important that the rules processing the remote messages come before any rules to process local messages. The if’s above check if a message originates on the network in question and, if so, writes them to the appropriate log. The next line (“& ~”) is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.

Also note that in the filter there is a dot after the last number in the IP address. This is important to get reliable filters. For example, both of the addresses “192.0.1.1” and “192.0.10.1” start with “192.0.1” but only one actually starts with “192.0.1.”!

3. Hosts

If you use rsyslog to forward events to the central server, just add :

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@remote-host:514

More info on : http://www.rsyslog.com/

Be the first to comment

Leave a Reply

Your email address will not be published.


*


*