blob: 8daac625e6667493f02af4d024a2eeba292dac95 [file] [log] [blame]
jan kaufman28d7d892015-12-04 21:36:59 +01001
2==================================
3rsyslog
4==================================
5
6In computing, syslog is a widely used standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.
7
8Sample pillars
9==============
10
jan kaufman1a4044c2016-03-10 18:51:58 +010011Rsyslog service with default logging template
12
13.. code-block:: yaml
14
15 rsyslog:
16 client:
17 enabled: true
18
19
20Rsyslog service with precise timestamps, severity, facility.
jan kaufman28d7d892015-12-04 21:36:59 +010021
22.. code-block:: yaml
23
24 rsyslog:
25 client:
26 enabled: true
27 format:
28 name: TraditionalFormatWithPRI
jan kaufman1a4044c2016-03-10 18:51:58 +010029 template: '"%syslogpriority% %syslogfacility% %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"'
Swann Croiset100028b2017-03-15 11:58:48 +010030 output:
jan kaufman91532f92016-03-31 13:45:02 +020031 file:
32 -/var/log/syslog:
33 filter: *.*;auth,authpriv.none
34 owner: syslog
35 group: adm
36 createmode: 0640
37 umask: 0022
38 /var/log/auth.log:
39 filter: auth,authpriv.*
40 owner: syslog
41 group: adm
42 createmode: 0640
43 umask: 0022
44 -/var/log/kern.log:
45 filter: kern.*
46 owner: syslog
47 group: adm
48 createmode: 0640
49 umask: 0022
50 -/var/log/mail.log:
51 filter: mail.*
52 owner: syslog
53 group: adm
54 createmode: 0640
55 umask: 0022
56 /var/log/mail.err:
57 filter: mail.err
58 owner: syslog
59 group: adm
60 createmode: 0640
61 umask: 0022
62 ":omusrmsg:*":
63 filter: *.emerg
64 "|/dev/xconsole":
65 filter: "daemon.*;mail.*; news.err; *.=debug;*.=info;*.=notice;*.=warn":
Swann Croiset100028b2017-03-15 11:58:48 +010066 -/var/log/your-app.log:
67 filter: "if $programname startswith 'your-app' then"
68 owner: syslog
69 group: adm
70 createmode: 0640
71 umask: 0022
72 stop_processing: true
jan kaufman1a4044c2016-03-10 18:51:58 +010073
Oleksii Chupryn31fc2f92018-02-06 04:32:11 +020074Rsyslog service with RainerScript (module, ruleset, template, input).
75
76.. code-block:: yaml
77
78 rsyslog:
79 client:
80 run_user: syslog
81 run_group: adm
82 enabled: true
83 rainerscript:
84 module:
85 imfile: {}
86 input:
87 imfile:
88 nginx:
89 File: "/var/log/nginx/*.log"
90 Tag: "nginx__"
91 Severity: "notice"
92 Facility: "local0"
93 PersistStateInterval: "0"
94 Ruleset: "myapp_logs"
95 apache2:
96 File: "/var/log/apache2/*.log"
97 Tag: "apache2__"
98 Severity: "notice"
99 Facility: "local0"
100 Ruleset: "myapp_logs"
101 PersistStateInterval: "0"
102 rabbitmq:
103 File: "/var/log/rabbitmq/*.log"
104 Tag: "rabbitmq__"
Oleksii Chupryn67a9d772018-03-22 23:58:50 +0200105 Severity: "notice"
Oleksii Chupryn31fc2f92018-02-06 04:32:11 +0200106 Facility: "local0"
107 PersistStateInterval: "0"
108 Ruleset: "myapp_logs"
109 template:
110 ImfileFilePath:
111 parameter:
112 type: string
113 string: "<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%$.suffix%%msg:::sp-if-no-1st-sp%%msg%\n"
114 ruleset:
115 remote_logs:
116 description: 'action(type="omfwd" Target="172.16.10.92" Port="10514" Protocol="udp" Template="ImfileFilePath")'
117 myapp_logs:
118 description: 'set $.suffix=re_extract($!metadata!filename, "(.*)/([^/]*[^/.log])", 0, 2, "all.log"); call remote_logs'
119
Oleksii Chupryn67a9d772018-03-22 23:58:50 +0200120Rsyslog service with GNU TLS encryption for forwarding the messages (omfwd module with gtls network stream driver).
121
122.. code-block:: yaml
123
124 rsyslog:
125 client:
126 pkgs:
127 - rsyslog-gnutls
128 - rsyslog
129 run_user: syslog
130 run_group: adm
131 enabled: true
132 ssl:
133 enabled: true
134 engine: manual
135 key: |
136 -----BEGIN RSA PRIVATE KEY-----
137 -----END RSA PRIVATE KEY-----
138 cert: |
139 -----BEGIN CERTIFICATE-----
140 -----END CERTIFICATE-----
141 cacert_chain: |
142 -----BEGIN CERTIFICATE-----
143 -----END CERTIFICATE-----
144 rainerscript:
145 global:
146 defaultNetstreamDriverCAFile: "/etc/rsyslog.d/rsyslog_ca.crt"
147 defaultNetstreamDriverKeyFile: "/etc/rsyslog.d/rsyslog_client.key"
148 defaultNetstreamDriverCertFile: "/etc/rsyslog.d/rsyslog_client.crt"
149 output:
150 remote:
151 somehost.domain:
152 action: 'action(type="omfwd" Target="172.16.10.92" Port="20514" Protocol="tcp" streamDriver="gtls" streamDriverauthMode="anon" streamDriverMode="1")'
153 filter: "*.*"
154 enabled: true
155
156Rsyslog service with RELP TLS encryption for forwarding the messages (omrelp module).
157
158.. code-block:: yaml
159
160 rsyslog:
161 client:
162 pkgs:
163 - rsyslog-relp
164 - rsyslog
165 run_user: syslog
166 run_group: adm
167 enabled: true
168 ssl:
169 enabled: true
170 engine: manual
171 key: |
172 -----BEGIN RSA PRIVATE KEY-----
173 -----END RSA PRIVATE KEY-----
174 cert: |
175 -----BEGIN CERTIFICATE-----
176 -----END CERTIFICATE-----
177 cacert_chain: |
178 -----BEGIN CERTIFICATE-----
179 -----END CERTIFICATE-----
180 rainerscript:
181 module:
182 omrelp: {}
183 output:
184 remote:
185 somehost.domain:
186 action: 'action(type="omrelp" target="172.16.10.92" port="20514" tls="on" tls.caCert="/etc/rsyslog.d/rsyslog_ca.crt" tls.myCert="/etc/rsyslog.d/rsyslog_client.crt" tls.myPrivKey="/etc/rsyslog.d/rsyslog_client.key" tls.authmode="name" tls.permittedpeer=["remote.example.com"])'
187 filter: "*.*"
188 enabled: true
189
Swann Croiset01b25772017-03-16 09:18:01 +0100190Custom templates
191================
192
193It is possible to define a specific syslog template per output file instead of
194using the default one.
195
196.. code-block:: yaml
197
198 rsyslog:
199 output:
200 file:
201 /var/log/your-app.log:
202 template: ""%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\\n""
203 filter: "if $programname startswith 'your-app' then"
204
teoyaomiqui5f074302017-04-11 15:03:55 +0300205Remote rsyslog server
206=====================
207
208It is possible to have rsyslog act as remote server, collecting, storing or forwarding logs.
209This functionality is provided via rsyslog input/output modules, rulesets and templates.
210
211.. code-block:: yaml
212
213 rsyslog:
214 server:
215 enabled: true
216 module:
217 imudp: {}
218 template:
219 RemoteFilePath:
220 parameter:
221 type: string
222 string: /var/log/%HOSTNAME%/%programname%.log
223 ruleset:
224 remote10514:
225 description: action(type="omfile" dynaFile="RemoteFilePath")
226 input:
227 imudp:
228 port: 10514
229 ruleset: remote10514
Pavel Cizinskyec784622018-12-12 12:03:12 +0100230
231
teoyaomiqui5f074302017-04-11 15:03:55 +0300232
Swann Croisetd88acef2017-03-16 09:17:55 +0100233Support metadata
234================
235
236If the *heka* support metadata is enabled, all output files are automatically
237parsed by the **log_collector** service.
238To skip the log_collector configuration, set the **skip_log_collector** to true.
239
240.. code-block:: yaml
241
242 rsyslog:
243 output:
244 file:
245 /var/log/your-app.log:
246 filter: "if $programname startswith 'your-app' then"
247 skip_log_collector: true
jan kaufman28d7d892015-12-04 21:36:59 +0100248
249Read more
250=========
251
252http://www.rsyslog.com/
253https://wiki.gentoo.org/wiki/Rsyslog
254https://github.com/saz/puppet-rsyslog