CentOS Rsyslog Server – How to Split and Organize Logs

centosrsyslog

I recently setup one of our servers as an rsyslog server. I now have our firewall setup to log everything to that rsyslog server.

But there doesn't seem to be an organization of the logs. All the firewall logs are just being dumped into the /var/log/messages on the rsyslog server. I guess I was maybe expecting them to at least be in a machine specific log file or directory.

How can I organize the incoming logging? If I setup 20 servers to all log everything to a central rsyslog server, I really don't want everything being dumped into one big file or a few files. How can I setup rsyslog to tell it where to log what? Like if all the logs for a specific server were in it's own directory/file, etc… Is this possible?

Best Answer

Rsyslog has a pretty good configuration system which allows you to create logs in many different ways. Check the online docs.

Specifically you may want to check out the configuration samples. This recipe may be close to what you want.

http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory

Related Solutions

Restarting rsyslog re-sends logs again

The freezing of log transmission aspect of this problem appears to likely be due to a bug in the way rsyslog is configured out of the box with 'buntu: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/940030

I was also able to find an interesting post on expertsexchange: www.expert-sex-change.com/OS/Linux/Administration/Q_27511414.html:

> I recently ran into a problem and was hoping someone could help me figure it out.  I am
> running Ubuntu 10.04 and rsyslog 5.8.1.  I setup rsyslog to monitor a few files and send
> the any changes to those files to Loggly (great service by the way).  Well, it all works
> great, except for the fact that whenever I restart rsyslog it resends everything from those
> files that it had sent in the past.  Now, it is my understanding that rsyslog should use
> the $WorkDirectory and create what file that you set for $InputFileStateFile to save the
> state of the monitored file so that it does not send duplicate entries.
> 
> Here is an example that I'm working with:
> 
> $WorkDirectory /var/log/rsyslog
> 
> # Monit log file
> $InputFileName /var/log/monit.log
> $InputFileTag monit
> $InputFileStateFile monit-state
> $InputFileSeverity info
> $InputRunFileMonitor
> 
> So, from my description above, rsyslog should create a "monit-state" file in 
> "/var/log/rsyslog" which would save the state of the /var/log/monit.log" file so no 
> duplicates are sent.  Is that correct?  If so, this is not happening!
> 
> What should the premission of "/var/log/rsyslog" be?  Do I have to touch "monit-state" in
> "/var/log/rsyslog" (I tried that already and nothing happened)?

With an interesting answer:

> Ok, I found this site (Trouble Shooting Rsyslog) and went through the interactive debugging
> mode using:
> 
> rsyslogd -c5 -dn > logfile
> 1:
> Select all
> Open in new window
> 
> 
> I was able to see that it was in fact a permissions problem.  I opened up permissions to
> 777 for my $WorkDirectory, just to test, and rsyslog did create the state files and
> everything worked as planned.  I will continue to play with the permissions so that it's
> not 777 (obviously), but I wanted to let anyone else that might be having this problem know
> how I solved it.

I have adjusted the permissions on /var/spool/rsyslog to be owned by user "syslog". I've tested for duplicate transmissions after applying this change and it seems to have fixed the problem. If the problem re-emerges or I find out that this didn't fix it, I will return here and update the answer.

SOLUTION:

$ sudo chown syslog /var/spool/rsyslog

Sending logs to remote server with rsyslog

SELinux was blocking rsyslog from sending on port 5000. By default SELinux only allowes rsyslog to send traffic on UDP 514.

I added an exception to SELinux with:

$sudo semanage port -a -t syslogd_port_t -p tcp 5000

Best Answer

Related Solutions

Restarting rsyslog re-sends logs again

Sending logs to remote server with rsyslog

Related Topic