Ubuntu/syslog

From Omnia
Jump to navigation Jump to search

Managed by rsyslog

See syslog


Remote syslog

Send

Easy:

/etc/rsyslog.d/10-rsyslog.conf
 *.* @remote.server:514
service rsyslog restart
# or
systemctl restart rsyslog

Receive

/etc/rsyslog.conf
systemctl restart rsyslog

Test:

logger "hello" --server [HOST] --port 514
# or
logger "hello" -n [host] -P 514
# or
logger "hello" -n [host]

Capture traffic example: [1]

sudo tcpdump -n dst port 514 -v
    192.168.0.12.36097 > 192.168.0.11.514: SYSLOG, length: 122
        Facility user (1), Severity notice (5)
        Msg: 1 2021-02-13T18:18:47.193781+00:00 ubuntu ubuntu - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="284500"] Test

To have each system store in seperate file: [2]

input(type="imtcp" port="514")
$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log"
*.* ?RemInputLogs

I like /var/log/remote

/var/log/remotelogs or /var/log/remote

Modified:

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

Before:

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")