Cisco – rsyslog – configuration help – logrotate and compression

I am a newbie to Linux and rsyslog. I have used the logfiles for many years, but I have never had to set one up.
At this point I have some Proof of Concept devices pointing to my Debain Linux server.
I have the syslog messages coming in and being written to a single file: /var/log/prd/fwlog
I am only concerned about 3 device types – switches, routers and firewalls. (all cisco)
My rsyslog.conf is fairly simple, I have only modified the basic config, commented out the stuff I didn't like/need?

snipped out the comment out stuff.

$ModLoad immark  # provides --MARK-- message capability    

$ModLoad imudp
$UDPServerRun 514

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

$WorkDirectory /var/spool/rsyslog

$IncludeConfig /etc/rsyslog.d/*.conf

*.*          /var/log/prd/fwlog

Finally my questions!

I want to rotate and separate the routers and switches in a log with a date stamp called 'rslog-YYYY-MM-DD'
also the firewalls into a log with a date stamp called 'fwlog-YYYY-MM-DD'
I want to compress(gzip?) the logs after 48hrs.

what do I need to add to my config?

I think I added the directory and file to my rsyslog in /etc/logrotate.d/rsyslog

/var/log/syslog
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                invoke-rc.d rsyslog rotate > /dev/null
        endscript
}

/var/log/prd/fwlog*
/var/log/prd/rslog*

{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                invoke-rc.d rsyslog rotate > /dev/null
        endscript
}

Thanks in advance for any help!

$template Firewall,"/var/log/prd/fwlog-%$YEAR%-%$MONTH%-%$DAY%" $template Switch,"/var/log/prd/rslog-%$YEAR%-%$MONTH%-%$DAY%" :fromhost-ip,isequal,"192.168.1.1" -?Firewall &~ :fromhost-ip,isequal,"192.168.1.254" -?Switch &~

Best Answer

I want to rotate and separate the routers and switches in a log with a date stamp called 'rslog-YYYY-MM-DD' also the firewalls into a log with a date stamp called 'fwlog-YYYY-MM-DD'

To start, you need to separate your firewall and switches with filtering in rsyslog. Exactly how to do this varies based on the version of rsyslog you are running. They have changed configuration syntax quite a bit over time. My notes below are based on an older release of Rsyslog v3 that ships with Red Hat. You will want to verify this against the documentation for your release.

For a property based filter, it will look something like;

:fromhost-ip,isequal,"192.168.1.1"              /var/log/prd/fwlog
&~
:fromhost-ip,isequal,"192.168.1.254"            /var/log/prd/rslog
&~

The next part is your desired filename. For that, you will combine filtering with rsyslog's templates to generate dynamic filenames for your logs.

I want to compress(gzip?) the logs after 48hrs.

The last part, compression, would rely on a daily cron job that compresses files. (Where $date is $today - 2.) The date command already has a built in format for YYYY-MM-DD, so we'll use that. (%F)

gzip /var/log/prd/*-$(date --date='2 days ago' +%F)

Best Answer

Related Solutions

Rsyslog configuration

How to restart rsyslog daemon on ubuntu

Related Topic