Linux - RSyslog
Introduction
RSyslog is a robust and flexible syslogd replacement, providing advanced features for logging on Unix-like systems. In this comprehensive guide, we will cover the installation, basic configurations, security considerations, advanced features, and optimization techniques for RSyslog.
Installation
To install RSyslog on your system, use your distribution’s package manager. For example, on Ubuntu:
1
2
sudo apt update
sudo apt install rsyslog
For other distributions, you can use tools like yum
or zypper
.
Basic Configuration
RSyslog configuration files are usually located in /etc/rsyslog.conf
and /etc/rsyslog.d/
. Here is a basic configuration to get you started:
1
2
3
4
5
6
7
8
# /etc/rsyslog.conf
# Enable UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Log messages from local0 facility to a separate file
local0.* /var/log/local0.log
This basic setup enables UDP syslog reception on port 514 and directs messages from the local0 facility to a dedicated log file.
Use Cases
Centralized Logging
One common use case is setting up RSyslog as a centralized logging server. Clients across the network can forward their logs to the central server for aggregation and analysis.
Configuration on the Client
1
2
3
# /etc/rsyslog.conf
*.* @central_log_server_ip:514
Log Rotation
RSyslog integrates with log rotation tools like logrotate
to manage log files. Ensure log rotation is configured to avoid filling up the disk.
1
2
3
4
5
6
7
8
9
# /etc/logrotate.conf
/var/log/local0.log {
rotate 7
daily
compress
missingok
notifempty
}
Security Considerations
Encryption
If transmitting logs over an insecure network, consider encrypting the communication. Use TLS for secure log forwarding:
1
2
3
4
5
6
7
8
# /etc/rsyslog.conf
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.example.com
*.* @@(o)example.com:10514
Access Control
Implement access control to restrict who can send logs to the RSyslog server:
1
2
3
# /etc/rsyslog.conf
$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
Advanced Features
Filtering
RSyslog supports powerful message filtering rules. For example, log only messages with a specific severity:
1
2
3
4
# /etc/rsyslog.conf
if $syslogseverity <= 4 then /var/log/severity_less_than_or_equal_to_4.log
& ~
Templates
Customize log message format using templates:
1
2
3
4
# /etc/rsyslog.conf
$template CustomFormat,"[%msg%]"
*.* /var/log/custom_format.log;CustomFormat
Optimization
Batch Processing
To optimize performance, consider batching log entries before writing to disk:
1
2
3
4
5
6
7
# /etc/rsyslog.conf
$MainMsgQueueSize 100000
$MainMsgQueueDequeueSlowdown 0
$MainMsgQueueDiscardMark 97500
$MainMsgQueueHighWaterMark 80000
$MainMsgQueueLowWaterMark 60000
Conclusion
RSyslog provides a powerful logging solution with extensive customization and security features.