Syslog

From Segfault
Jump to: navigation, search

Rsyslog

Rsyslog tends to have drastic syntax changes across its versions, so be sure to keep up with the current documentation.

Configuration

module(load="imuxsock" SysSock.Use="off") # local system logging, w/o log socket
module(load="imklog")                     # reads kernel messages
module(load="immark")                     # provides --MARK-- message capability

# Syslog server
# module(load="imudp")
# input(type="imudp" port="514")

# module(load="imtcp")
# input(type="imtcp" port="514")

# Work directory[1], prefer IPv4, default timestamp format
global(workDirectory="/var/lib/rsyslog")
global(net.ipprotocol="ipv4-only")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include more configuration files 
$IncludeConfig /etc/rsyslog.d/*.conf

# Discard some log spam early on
if     ($programname == 'foobard') or \
       ($msg contains 'barbaz') \
then {
       stop
}

# Same, but with different syntax
:programname, contains, "foobard" stop

# Working with templates
$template RemoteHost,    "/var/log/net-%HOSTNAME%.log"
$template RemoteFromHost,"/var/log/net-%FROMHOST%.log"

# We're a log server:
# :fromhost, isequal, "10.0.0.20" ?RemoteFromHost
# :fromhost, isequal, "10.0.0.20" stop
# :fromhost, isequal, "10.0.0.21" ?RemoteFromHost
# :fromhost, isequal, "10.0.0.21" stop

# Send everything to a loghost
# :source, isequal, "" @loghost
# :source, isequal, "" stop

auth,authpriv.*                 /var/log/syslog/auth.log
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          /var/log/syslog/system.log
[...]
 
# Send logs to a TLS-enabled log server
$DefaultNetstreamDriverCAFile   /etc/ssl/certs/ca-bundle.crt
$DefaultNetstreamDriver         gtls
$ActionSendStreamDriverMode     1
$ActionSendStreamDriverAuthMode anon
kern,mark.*;*.warning           @@loghost.example.net:6514         # See RFC 5425

Notes:

  • Order matters, the statement above to discard messages should be mentioned first.
  • The net.ipprotocol="ipv4-only" above was only put in so that remote (IPv4-only) log destinations can still be reached.
  • The $DefaultNetstreamDriverCAFile should point to a valid CA certificate. The official documentation recommends a self-signed CA certificate, but if the loghost is an public address, a public CA certificate will do as well.

Links

Syslog-NG

The first line of the configuration file should match the current version of syslog-ng.

Configuration

@version: 3.13
options {
       use_dns(no);
       use_fqdn(no);
       owner("root");
       group("adm");
       perm(0640);
       mark_freq(300);
       stats_freq(0);
};

# sources
source s_src {
       unix-dgram("/dev/log");
       internal();
       file("/proc/kmsg" program_override("kernel"));
};

# UDP source
source s_net { udp(port(514)); };

# TLS-enabled TCP source 
source s_net_tls {
               network(ip(0.0.0.0) port(6514)
       #       syslog(ip(0.0.0.0)  port(6514)
               transport("tls")
               tls(key_file("/etc/ssl/private/server.key")
                       cert_file("/etc/ssl/private/server.pem")
                       peer-verify(optional-untrusted))
               );
};

destination d_auth              { file("/var/log/syslog/auth.log"); };
destination d_info              { file("/var/log/syslog/info.log"); };

destination d_tty               { file("/dev/tty10"); };
destination d_console           { usertty("root"); };

destination d_loghost           { udp("loghost" port(514)); };
destination d_alice             { file("/var/log/syslog/net-alice.log"); };
destination d_net               { file("/var/log/syslog/net-$FULLHOST.log"); };
destination d_net_tls           { file("/var/log/syslog/net-$FULLHOST_tls.log"); };
[...]

filter f_auth                   { facility(auth, authpriv); };
filter f_info                   { level(info); };

filter f_console                { level(warn .. emerg); };
filter f_loghost                { facility(kern) or match("MARK" value(MESSAGE)); };
filter f_alice                  { host("10.0.0.3$"); };
[...]

log { source(s_src); filter(f_auth);      destination(d_auth); };
log { source(s_src); filter(f_cron);      destination(d_info); };

log { source(s_src); filter(f_kern);      destination(d_tty); };
log { source(s_src); filter(f_console);   destination(d_console); };

# logging to/from a remote host
log { source(s_src); filter(f_loghost);   destination(d_loghost); };
log { source(s_net); filter(f_alice);     destination(d_alice); };
log { source(s_net);                      destination(d_net); };
log { source(s_net_tls);                  destination(d_net_tls); };
[...]

The certificate needs to be explicitly readable by root. An implicit permission would result in EACCESS[2] for some[3] reason:

$ ls -lL /etc/ssl/private/server.*
-r-------- 1 root root 1704 Apr  9  2017 /etc/ssl/private/server.key
-r--r----- 1 root http 5156 Jan 17 13:08 /etc/ssl/private/server.pem

Syslogd

syslog.conf

*.err                                                   /dev/console
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
*.*;auth,authpriv,cron.warning                          @loghost

To receive remote syslog messages, syslogd must be started with option -r.

Netconsole

Under Linux, a kernel-based netconsole is available if CONFIG_NETCONSOLE is enabled.

To enable netconsole during bootup, these options should be passed as kernel parameter during boot or as module parameters:

netconsole=[src-port]@[src-ip]/[<dev>],[tgt-port]@<tgt-ip>/[tgt-macaddr]

As an example, forward all kernel messages from our own address 10.0.0.10 over eth0 to 10.0.0.20:514 and its MAC address:

options netconsole netconsole=@10.0.0.10/eth0,541@10.0.0.20/00:01:02:03:04:05

ASL

On MacOS X, there's ASL, the Apple System Log. While syslogd still reads syslog.conf it's linked against the ASL libraries and thus reads asl.conf too.

The /etc/syslog.conf looks pretty much like the syslog.conf above:

*.notice;authpriv,remoteauth,ftp,install,internal.none  /var/log/system.log
auth.info;authpriv.*;remoteauth.crit                    /var/log/secure.log
kern.*                                                  /var/log/kernel.log
*.*                                                     /var/log/messages

lpr.*                                                   /var/log/lpr.log
mail.*                                                  /var/log/mail.log
ftp.*                                                   /var/log/ftp.log
install.*                                               /var/log/install.log
install.*                                               @127.0.0.1:32376
local0.*                                                /var/log/appfirewall.log
local1.*                                                /var/log/ipfw.log

*.emerg                                                 *
*.*                                                     @loghost

Links

References