Syslog

From Segfault
Jump to navigation Jump to search

Rsyslog

Rsyslog tends to have drastic syntax changes across its versions, so be sure to keep up with the current documentation.

Configuration

module(load="imuxsock" SysSock.Use="off") # local system logging, w/o log socket
module(load="imklog")                     # reads kernel messages
module(load="immark")                     # provides --MARK-- message capability

# Syslog server
# module(load="imudp")
# input(type="imudp" port="514")

# module(load="imtcp")
# input(type="imtcp" port="514")

# Work directory[1], prefer IPv4, default timestamp format
global(workDirectory="/var/lib/rsyslog")
global(net.ipprotocol="ipv4-only")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include more configuration files 
$IncludeConfig /etc/rsyslog.d/*.conf

# Discard some log spam early on
if     ($programname == 'foobar') or \
       ($msg contains 'barbaz') \
then {
       stop
}

# Same, but with different syntax
:programname, contains, "foobar" stop

# Working with templates
$template RemoteHost,    "/var/log/net-%HOSTNAME%.log"
$template RemoteFromHost,"/var/log/net-%FROMHOST%.log"

# We're a log server:
# :fromhost, isequal, "10.0.0.20" ?RemoteFromHost
# :fromhost, isequal, "10.0.0.20" stop
# :fromhost, isequal, "10.0.0.21" ?RemoteFromHost
# :fromhost, isequal, "10.0.0.21" stop

# Send everything to a loghost
# :source, isequal, "" @loghost
# :source, isequal, "" stop

auth,authpriv.*                 /var/log/syslog/auth.log
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          /var/log/syslog/system.log
[...]

# Sometimes we want to send the FQDN to the log server
# or set a new name altogether
$PreserveFQDN                   on
# $LocalHostName                node.example.net

# Send logs to a TLS-enabled log server[2]
$DefaultNetstreamDriverCAFile   /etc/ssl/certs/ca-bundle.crt
$DefaultNetstreamDriverCertFile /etc/ssl/private/foobar.pem
$DefaultNetstreamDriverKeyFile  /etc/ssl/private/foobar.key
$DefaultNetstreamDriver         gtls
$ActionSendStreamDriverMode     1
$ActionSendStreamDriverAuthMode anon
kern,mark.*;*.warning           @@loghost.example.net:6514         # See RFC 5425

Notes:

  • Order matters, the statement above to discard messages should be mentioned first.
  • The net.ipprotocol="ipv4-only" above was only put in so that remote (IPv4-only) log destinations can still be reached.
  • The $DefaultNetstreamDriverCAFile should point to a valid CA certificate. The official documentation recommends a self-signed CA certificate, but if the loghost is an public address, a public CA certificate will do as well.
  • The $DefaultNetstreamDriverCertFile can be signed by the CA specified, but can be self-signed just as well:
export SAN="subjectAltName = DNS:localhost"
export SUBJECT="/C=US/ST=CA/L=SF/O=None/OU=None/CN=localhost/emailAddress=admin@localhost"

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out /etc/ssl/private/foobar.key
openssl req -new -x509 -sha512 -days 3650 -subj "${SUBJECT}" -addext "${SAN}" -key /etc/ssl/private/foobar.key -out /etc/ssl/private/foobar.pem

Syslog-NG

The first line of the configuration file should match the current version of syslog-ng.

Configuration

@version: 3.13
options {
       use_dns(no);
       use_fqdn(no);
       owner("root");
       group("adm");
       perm(0640);
       mark_freq(300);
       stats_freq(0);
};

# sources
source s_src {
       unix-dgram("/dev/log");
       internal();
       file("/proc/kmsg" program_override("kernel"));
};

# UDP source
source s_net { udp(port(514)); };

# TLS-enabled TCP source 
source s_net_tls {
               network(ip(0.0.0.0) port(6514)
       #       syslog(ip(0.0.0.0)  port(6514)
               transport("tls")
               tls(key_file("/etc/ssl/private/server.key")
                       cert_file("/etc/ssl/private/server.pem")
                       peer-verify(optional-untrusted))
               );
};

destination d_auth              { file("/var/log/syslog/auth.log"); };
destination d_info              { file("/var/log/syslog/info.log"); };

destination d_tty               { file("/dev/tty10"); };
destination d_console           { usertty("root"); };

destination d_loghost           { udp("loghost" port(514)); };
destination d_alice             { file("/var/log/syslog/net-alice.log"); };
destination d_net               { file("/var/log/syslog/net-$FULLHOST.log"); };
destination d_net_tls           { file("/var/log/syslog/net-$FULLHOST_tls.log"); };
[...]

filter f_auth                   { facility(auth, authpriv); };
filter f_info                   { level(info); };

filter f_console                { level(warn .. emerg); };
filter f_loghost                { facility(kern) or match("MARK" value(MESSAGE)); };
filter f_alice                  { host("10.0.0.3$"); };
[...]

log { source(s_src); filter(f_auth);      destination(d_auth); };
log { source(s_src); filter(f_cron);      destination(d_info); };

log { source(s_src); filter(f_kern);      destination(d_tty); };
log { source(s_src); filter(f_console);   destination(d_console); };

# logging to/from a remote host
log { source(s_src); filter(f_loghost);   destination(d_loghost); };
log { source(s_net); filter(f_alice);     destination(d_alice); };
log { source(s_net);                      destination(d_net); };
log { source(s_net_tls);                  destination(d_net_tls); };
[...]

The certificate needs to be explicitly readable by root. An implicit permission would result in EACCESS[3] for some[4] reason: 

$ ls -lL /etc/ssl/private/server.*
-r-------- 1 root root 1704 Apr  9  2017 /etc/ssl/private/server.key
-r--r----- 1 root http 5156 Jan 17 13:08 /etc/ssl/private/server.pem

Syslogd

syslog.conf

*.err                                                   /dev/console
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
*.*;auth,authpriv,cron.warning                          @loghost

To receive remote syslog messages, syslogd must be started with option -r.

Netconsole

Under Linux, a kernel-based netconsole is available if CONFIG_NETCONSOLE is enabled.

To enable netconsole during bootup, these options should be passed as kernel parameter during boot or as module parameters: 

netconsole=[src-port]@[src-ip]/[<dev>],[tgt-port]@<tgt-ip>/[tgt-macaddr]

As an example, forward all kernel messages from our own address 10.0.0.10 over eth0 to 10.0.0.20:514 and its MAC address: 

options netconsole netconsole=@10.0.0.10/eth0,541@10.0.0.20/00:01:02:03:04:05

ASL

On MacOS X, there's ASL, the Apple System Log. While syslogd still reads syslog.conf it's linked against the ASL libraries and thus reads asl.conf too.

The /etc/syslog.conf looks pretty much like the syslog.conf above: 

*.notice;authpriv,remoteauth,ftp,install,internal.none  /var/log/system.log
auth.info;authpriv.*;remoteauth.crit                    /var/log/secure.log
kern.*                                                  /var/log/kernel.log
*.*                                                     /var/log/messages

lpr.*                                                   /var/log/lpr.log
mail.*                                                  /var/log/mail.log
ftp.*                                                   /var/log/ftp.log
install.*                                               /var/log/install.log
install.*                                               @127.0.0.1:32376
local0.*                                                /var/log/appfirewall.log
local1.*                                                /var/log/ipfw.log

*.emerg                                                 *
*.*                                                     @loghost

Links

References

  1. Permission denied', path: '/imjournal.state.tmp'
  2. Encrypting Syslog Traffic with TLS
  3. The Open Group Base Specifications Issue 7, IEEE Std 1003.1-2008, 2016 Edition: access, faccessat - determine accessibility of a file descriptor
  4. lib/tlscontext.c:324
Retrieved from "https://trent.utfs.org/mediawiki/index.php?title=Syslog&oldid=14462"