Ubuntu/syslog: Difference between revisions
< Ubuntu
(Created page with "Managed by rsyslog See syslog") |
No edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
See [[syslog]] | See [[syslog]] | ||
== Remote syslog == | |||
=== Send === | |||
Easy: | |||
/etc/rsyslog.d/10-rsyslog.conf | |||
*.* @remote.server:514 | |||
service rsyslog restart | |||
# or | |||
systemctl restart rsyslog | |||
=== Receive === | |||
/etc/rsyslog.conf | |||
systemctl restart rsyslog | |||
Test: | |||
logger "hello" --server [HOST] --port 514 | |||
# or | |||
logger "hello" -n [host] -P 514 | |||
# or | |||
logger "hello" -n [host] | |||
Capture traffic example: <ref>https://ubuntuforums.org/showthread.php?t=2457983</ref> | |||
sudo tcpdump -n dst port 514 -v | |||
<pre> | |||
192.168.0.12.36097 > 192.168.0.11.514: SYSLOG, length: 122 | |||
Facility user (1), Severity notice (5) | |||
Msg: 1 2021-02-13T18:18:47.193781+00:00 ubuntu ubuntu - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="284500"] Test | |||
</pre> | |||
To have each system store in seperate file: <ref>https://www.linkedin.com/pulse/how-install-set-up-rsyslog-server-linux-ubuntu-20041-akshay-sharma</ref> | |||
input(type="imtcp" port="514") | |||
$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" | |||
*.* ?RemInputLogs | |||
I like /var/log/remote | |||
/var/log/remotelogs or /var/log/remote | |||
Modified: | |||
<pre> | |||
################# | |||
#### MODULES #### | |||
################# | |||
module(load="imuxsock") # provides support for local system logging | |||
module(load="immark") # provides --MARK-- message capability | |||
# provides UDP syslog reception | |||
module(load="imudp") | |||
input(type="imudp" port="514") | |||
# provides TCP syslog reception | |||
module(load="imtcp") | |||
input(type="imtcp" port="514") | |||
# provides kernel logging support and enable non-kernel klog messages | |||
module(load="imklog" permitnonkernelfacility="on") | |||
</pre> | |||
Before: | |||
<pre> | |||
################# | |||
#### MODULES #### | |||
################# | |||
module(load="imuxsock") # provides support for local system logging | |||
#module(load="immark") # provides --MARK-- message capability | |||
# provides UDP syslog reception | |||
#module(load="imudp") | |||
#input(type="imudp" port="514") | |||
# provides TCP syslog reception | |||
#module(load="imtcp") | |||
#input(type="imtcp" port="514") | |||
# provides kernel logging support and enable non-kernel klog messages | |||
module(load="imklog" permitnonkernelfacility="on") | |||
</pre> | |||
Latest revision as of 23:07, 1 January 2025
Managed by rsyslog
See syslog
Remote syslog
Send
Easy:
/etc/rsyslog.d/10-rsyslog.conf *.* @remote.server:514
service rsyslog restart # or systemctl restart rsyslog
Receive
/etc/rsyslog.conf
systemctl restart rsyslog
Test:
logger "hello" --server [HOST] --port 514 # or logger "hello" -n [host] -P 514 # or logger "hello" -n [host]
Capture traffic example: [1]
sudo tcpdump -n dst port 514 -v
192.168.0.12.36097 > 192.168.0.11.514: SYSLOG, length: 122
Facility user (1), Severity notice (5)
Msg: 1 2021-02-13T18:18:47.193781+00:00 ubuntu ubuntu - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="284500"] Test
To have each system store in seperate file: [2]
input(type="imtcp" port="514") $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" *.* ?RemInputLogs
I like /var/log/remote
/var/log/remotelogs or /var/log/remote
Modified:
################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on")
Before:
################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on")