Syslog
Rsyslog
Rsyslog tends to have drastic syntax changes across its versions, so be sure to keep up with the current documentation.
Configuration
module(load="imuxsock" SysSock.Use="off") # local system logging, w/o log socket module(load="imklog") # reads kernel messages module(load="immark") # provides --MARK-- message capability # Syslog server # module(load="imudp") # input(type="imudp" port="514") # module(load="imtcp") # input(type="imtcp" port="514") # Work directory[1], prefer IPv4, default timestamp format global(workDirectory="/var/lib/rsyslog") global(net.ipprotocol="ipv4-only") module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") # Include more configuration files $IncludeConfig /etc/rsyslog.d/*.conf # Discard some log spam early on if ($programname == 'foobar') or \ ($msg contains 'barbaz') \ then { stop } # Same, but with different syntax :programname, contains, "foobar" stop # Working with templates $template RemoteHost, "/var/log/net-%HOSTNAME%.log" $template RemoteFromHost,"/var/log/net-%FROMHOST%.log" # We're a log server: # :fromhost, isequal, "10.0.0.20" ?RemoteFromHost # :fromhost, isequal, "10.0.0.20" stop # :fromhost, isequal, "10.0.0.21" ?RemoteFromHost # :fromhost, isequal, "10.0.0.21" stop # Send everything to a loghost # :source, isequal, "" @loghost # :source, isequal, "" stop auth,authpriv.* /var/log/syslog/auth.log *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none /var/log/syslog/system.log [...] # Sometimes we want to send the FQDN to the log server # or set a new name altogether $PreserveFQDN on # $LocalHostName node.example.net # Send logs to a TLS-enabled log server[2] $DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-bundle.crt $DefaultNetstreamDriverCertFile /etc/ssl/private/foobar.pem $DefaultNetstreamDriverKeyFile /etc/ssl/private/foobar.key $DefaultNetstreamDriver gtls $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode anon kern,mark.*;*.warning @@loghost.example.net:6514 # See RFC 5425
Notes:
- Order matters, the statement above to discard messages should be mentioned first.
- The
net.ipprotocol="ipv4-only"
above was only put in so that remote (IPv4-only) log destinations can still be reached. - The
$DefaultNetstreamDriverCAFile
should point to a valid CA certificate. The official documentation recommends a self-signed CA certificate, but if theloghost
is an public address, a public CA certificate will do as well. - The
$DefaultNetstreamDriverCertFile
can be signed by the CA specified, but can be self-signed just as well:
export SAN="subjectAltName = DNS:localhost" export SUBJECT="/C=US/ST=CA/L=SF/O=None/OU=None/CN=localhost/emailAddress=admin@localhost" openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out /etc/ssl/private/foobar.key openssl req -new -x509 -sha512 -days 3650 -subj "${SUBJECT}" -addext "${SAN}" -key /etc/ssl/private/foobar.key -out /etc/ssl/private/foobar.pem
Syslog-NG
The first line of the configuration file should match the current version of syslog-ng
.
Configuration
@version: 3.13 options { use_dns(no); use_fqdn(no); owner("root"); group("adm"); perm(0640); mark_freq(300); stats_freq(0); }; # sources source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); }; # UDP source source s_net { udp(port(514)); }; # TLS-enabled TCP source source s_net_tls { network(ip(0.0.0.0) port(6514) # syslog(ip(0.0.0.0) port(6514) transport("tls") tls(key_file("/etc/ssl/private/server.key") cert_file("/etc/ssl/private/server.pem") peer-verify(optional-untrusted)) ); }; destination d_auth { file("/var/log/syslog/auth.log"); }; destination d_info { file("/var/log/syslog/info.log"); }; destination d_tty { file("/dev/tty10"); }; destination d_console { usertty("root"); }; destination d_loghost { udp("loghost" port(514)); }; destination d_alice { file("/var/log/syslog/net-alice.log"); }; destination d_net { file("/var/log/syslog/net-$FULLHOST.log"); }; destination d_net_tls { file("/var/log/syslog/net-$FULLHOST_tls.log"); }; [...] filter f_auth { facility(auth, authpriv); }; filter f_info { level(info); }; filter f_console { level(warn .. emerg); }; filter f_loghost { facility(kern) or match("MARK" value(MESSAGE)); }; filter f_alice { host("10.0.0.3$"); }; [...] log { source(s_src); filter(f_auth); destination(d_auth); }; log { source(s_src); filter(f_cron); destination(d_info); }; log { source(s_src); filter(f_kern); destination(d_tty); }; log { source(s_src); filter(f_console); destination(d_console); }; # logging to/from a remote host log { source(s_src); filter(f_loghost); destination(d_loghost); }; log { source(s_net); filter(f_alice); destination(d_alice); }; log { source(s_net); destination(d_net); }; log { source(s_net_tls); destination(d_net_tls); }; [...]
The certificate needs to be explicitly readable by root. An implicit permission would result in EACCESS
[3] for some[4] reason:
$ ls -lL /etc/ssl/private/server.* -r-------- 1 root root 1704 Apr 9 2017 /etc/ssl/private/server.key -r--r----- 1 root http 5156 Jan 17 13:08 /etc/ssl/private/server.pem
Syslogd
syslog.conf
*.err /dev/console *.info;mail.none;authpriv.none;cron.none /var/log/messages *.*;auth,authpriv,cron.warning @loghost
To receive remote syslog messages, syslogd must be started with option -r.
Netconsole
Under Linux, a kernel-based netconsole is available if CONFIG_NETCONSOLE is enabled.
To enable netconsole during bootup, these options should be passed as kernel parameter during boot or as module parameters:
netconsole=[src-port]@[src-ip]/[<dev>],[tgt-port]@<tgt-ip>/[tgt-macaddr]
As an example, forward all kernel messages from our own address 10.0.0.10 over eth0 to 10.0.0.20:514 and its MAC address:
options netconsole netconsole=@10.0.0.10/eth0,541@10.0.0.20/00:01:02:03:04:05
ASL
On MacOS X, there's ASL, the Apple System Log. While syslogd still reads syslog.conf it's linked against the ASL libraries and thus reads asl.conf too.
The /etc/syslog.conf looks pretty much like the syslog.conf above:
*.notice;authpriv,remoteauth,ftp,install,internal.none /var/log/system.log auth.info;authpriv.*;remoteauth.crit /var/log/secure.log kern.* /var/log/kernel.log *.* /var/log/messages lpr.* /var/log/lpr.log mail.* /var/log/mail.log ftp.* /var/log/ftp.log install.* /var/log/install.log install.* @127.0.0.1:32376 local0.* /var/log/appfirewall.log local1.* /var/log/ipfw.log *.emerg * *.* @loghost
Links
- Windows/Eventlog
- Syslog-NG Deployment with SSL/TLS Encryption Enabled
- syslog-ng: SSL certificate verification
- rsyslog: Encrypting remote syslog with TLS (SSL)
- syslog-ng (Arch Linux)