jan kaufman | 28d7d89 | 2015-12-04 21:36:59 +0100 | [diff] [blame] | 1 | |
| 2 | ================================== |
| 3 | rsyslog |
| 4 | ================================== |
| 5 | |
| 6 | In computing, syslog is a widely used standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. |
| 7 | |
| 8 | Sample pillars |
| 9 | ============== |
| 10 | |
jan kaufman | 1a4044c | 2016-03-10 18:51:58 +0100 | [diff] [blame] | 11 | Rsyslog service with default logging template |
| 12 | |
| 13 | .. code-block:: yaml |
| 14 | |
| 15 | rsyslog: |
| 16 | client: |
| 17 | enabled: true |
| 18 | |
| 19 | |
| 20 | Rsyslog service with precise timestamps, severity, facility. |
jan kaufman | 28d7d89 | 2015-12-04 21:36:59 +0100 | [diff] [blame] | 21 | |
| 22 | .. code-block:: yaml |
| 23 | |
| 24 | rsyslog: |
| 25 | client: |
| 26 | enabled: true |
| 27 | format: |
| 28 | name: TraditionalFormatWithPRI |
jan kaufman | 1a4044c | 2016-03-10 18:51:58 +0100 | [diff] [blame] | 29 | template: '"%syslogpriority% %syslogfacility% %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"' |
Swann Croiset | 100028b | 2017-03-15 11:58:48 +0100 | [diff] [blame] | 30 | output: |
jan kaufman | 91532f9 | 2016-03-31 13:45:02 +0200 | [diff] [blame] | 31 | file: |
| 32 | -/var/log/syslog: |
| 33 | filter: *.*;auth,authpriv.none |
| 34 | owner: syslog |
| 35 | group: adm |
| 36 | createmode: 0640 |
| 37 | umask: 0022 |
| 38 | /var/log/auth.log: |
| 39 | filter: auth,authpriv.* |
| 40 | owner: syslog |
| 41 | group: adm |
| 42 | createmode: 0640 |
| 43 | umask: 0022 |
| 44 | -/var/log/kern.log: |
| 45 | filter: kern.* |
| 46 | owner: syslog |
| 47 | group: adm |
| 48 | createmode: 0640 |
| 49 | umask: 0022 |
| 50 | -/var/log/mail.log: |
| 51 | filter: mail.* |
| 52 | owner: syslog |
| 53 | group: adm |
| 54 | createmode: 0640 |
| 55 | umask: 0022 |
| 56 | /var/log/mail.err: |
| 57 | filter: mail.err |
| 58 | owner: syslog |
| 59 | group: adm |
| 60 | createmode: 0640 |
| 61 | umask: 0022 |
| 62 | ":omusrmsg:*": |
| 63 | filter: *.emerg |
| 64 | "|/dev/xconsole": |
| 65 | filter: "daemon.*;mail.*; news.err; *.=debug;*.=info;*.=notice;*.=warn": |
Swann Croiset | 100028b | 2017-03-15 11:58:48 +0100 | [diff] [blame] | 66 | -/var/log/your-app.log: |
| 67 | filter: "if $programname startswith 'your-app' then" |
| 68 | owner: syslog |
| 69 | group: adm |
| 70 | createmode: 0640 |
| 71 | umask: 0022 |
| 72 | stop_processing: true |
jan kaufman | 1a4044c | 2016-03-10 18:51:58 +0100 | [diff] [blame] | 73 | |
Oleksii Chupryn | 31fc2f9 | 2018-02-06 04:32:11 +0200 | [diff] [blame] | 74 | Rsyslog service with RainerScript (module, ruleset, template, input). |
| 75 | |
| 76 | .. code-block:: yaml |
| 77 | |
| 78 | rsyslog: |
| 79 | client: |
| 80 | run_user: syslog |
| 81 | run_group: adm |
| 82 | enabled: true |
| 83 | rainerscript: |
| 84 | module: |
| 85 | imfile: {} |
| 86 | input: |
| 87 | imfile: |
| 88 | nginx: |
| 89 | File: "/var/log/nginx/*.log" |
| 90 | Tag: "nginx__" |
| 91 | Severity: "notice" |
| 92 | Facility: "local0" |
| 93 | PersistStateInterval: "0" |
| 94 | Ruleset: "myapp_logs" |
| 95 | apache2: |
| 96 | File: "/var/log/apache2/*.log" |
| 97 | Tag: "apache2__" |
| 98 | Severity: "notice" |
| 99 | Facility: "local0" |
| 100 | Ruleset: "myapp_logs" |
| 101 | PersistStateInterval: "0" |
| 102 | rabbitmq: |
| 103 | File: "/var/log/rabbitmq/*.log" |
| 104 | Tag: "rabbitmq__" |
Oleksii Chupryn | 67a9d77 | 2018-03-22 23:58:50 +0200 | [diff] [blame] | 105 | Severity: "notice" |
Oleksii Chupryn | 31fc2f9 | 2018-02-06 04:32:11 +0200 | [diff] [blame] | 106 | Facility: "local0" |
| 107 | PersistStateInterval: "0" |
| 108 | Ruleset: "myapp_logs" |
| 109 | template: |
| 110 | ImfileFilePath: |
| 111 | parameter: |
| 112 | type: string |
| 113 | string: "<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%$.suffix%%msg:::sp-if-no-1st-sp%%msg%\n" |
| 114 | ruleset: |
| 115 | remote_logs: |
| 116 | description: 'action(type="omfwd" Target="172.16.10.92" Port="10514" Protocol="udp" Template="ImfileFilePath")' |
| 117 | myapp_logs: |
| 118 | description: 'set $.suffix=re_extract($!metadata!filename, "(.*)/([^/]*[^/.log])", 0, 2, "all.log"); call remote_logs' |
| 119 | |
Oleksii Chupryn | 67a9d77 | 2018-03-22 23:58:50 +0200 | [diff] [blame] | 120 | Rsyslog service with GNU TLS encryption for forwarding the messages (omfwd module with gtls network stream driver). |
| 121 | |
| 122 | .. code-block:: yaml |
| 123 | |
| 124 | rsyslog: |
| 125 | client: |
| 126 | pkgs: |
| 127 | - rsyslog-gnutls |
| 128 | - rsyslog |
| 129 | run_user: syslog |
| 130 | run_group: adm |
| 131 | enabled: true |
| 132 | ssl: |
| 133 | enabled: true |
| 134 | engine: manual |
| 135 | key: | |
| 136 | -----BEGIN RSA PRIVATE KEY----- |
| 137 | -----END RSA PRIVATE KEY----- |
| 138 | cert: | |
| 139 | -----BEGIN CERTIFICATE----- |
| 140 | -----END CERTIFICATE----- |
| 141 | cacert_chain: | |
| 142 | -----BEGIN CERTIFICATE----- |
| 143 | -----END CERTIFICATE----- |
| 144 | rainerscript: |
| 145 | global: |
| 146 | defaultNetstreamDriverCAFile: "/etc/rsyslog.d/rsyslog_ca.crt" |
| 147 | defaultNetstreamDriverKeyFile: "/etc/rsyslog.d/rsyslog_client.key" |
| 148 | defaultNetstreamDriverCertFile: "/etc/rsyslog.d/rsyslog_client.crt" |
| 149 | output: |
| 150 | remote: |
| 151 | somehost.domain: |
| 152 | action: 'action(type="omfwd" Target="172.16.10.92" Port="20514" Protocol="tcp" streamDriver="gtls" streamDriverauthMode="anon" streamDriverMode="1")' |
| 153 | filter: "*.*" |
| 154 | enabled: true |
| 155 | |
| 156 | Rsyslog service with RELP TLS encryption for forwarding the messages (omrelp module). |
| 157 | |
| 158 | .. code-block:: yaml |
| 159 | |
| 160 | rsyslog: |
| 161 | client: |
| 162 | pkgs: |
| 163 | - rsyslog-relp |
| 164 | - rsyslog |
| 165 | run_user: syslog |
| 166 | run_group: adm |
| 167 | enabled: true |
| 168 | ssl: |
| 169 | enabled: true |
| 170 | engine: manual |
| 171 | key: | |
| 172 | -----BEGIN RSA PRIVATE KEY----- |
| 173 | -----END RSA PRIVATE KEY----- |
| 174 | cert: | |
| 175 | -----BEGIN CERTIFICATE----- |
| 176 | -----END CERTIFICATE----- |
| 177 | cacert_chain: | |
| 178 | -----BEGIN CERTIFICATE----- |
| 179 | -----END CERTIFICATE----- |
| 180 | rainerscript: |
| 181 | module: |
| 182 | omrelp: {} |
| 183 | output: |
| 184 | remote: |
| 185 | somehost.domain: |
| 186 | action: 'action(type="omrelp" target="172.16.10.92" port="20514" tls="on" tls.caCert="/etc/rsyslog.d/rsyslog_ca.crt" tls.myCert="/etc/rsyslog.d/rsyslog_client.crt" tls.myPrivKey="/etc/rsyslog.d/rsyslog_client.key" tls.authmode="name" tls.permittedpeer=["remote.example.com"])' |
| 187 | filter: "*.*" |
| 188 | enabled: true |
| 189 | |
Swann Croiset | 01b2577 | 2017-03-16 09:18:01 +0100 | [diff] [blame] | 190 | Custom templates |
| 191 | ================ |
| 192 | |
| 193 | It is possible to define a specific syslog template per output file instead of |
| 194 | using the default one. |
| 195 | |
| 196 | .. code-block:: yaml |
| 197 | |
| 198 | rsyslog: |
| 199 | output: |
| 200 | file: |
| 201 | /var/log/your-app.log: |
| 202 | template: ""%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\\n"" |
| 203 | filter: "if $programname startswith 'your-app' then" |
| 204 | |
teoyaomiqui | 5f07430 | 2017-04-11 15:03:55 +0300 | [diff] [blame] | 205 | Remote rsyslog server |
| 206 | ===================== |
| 207 | |
| 208 | It is possible to have rsyslog act as remote server, collecting, storing or forwarding logs. |
| 209 | This functionality is provided via rsyslog input/output modules, rulesets and templates. |
| 210 | |
| 211 | .. code-block:: yaml |
| 212 | |
| 213 | rsyslog: |
| 214 | server: |
| 215 | enabled: true |
| 216 | module: |
| 217 | imudp: {} |
| 218 | template: |
| 219 | RemoteFilePath: |
| 220 | parameter: |
| 221 | type: string |
| 222 | string: /var/log/%HOSTNAME%/%programname%.log |
| 223 | ruleset: |
| 224 | remote10514: |
| 225 | description: action(type="omfile" dynaFile="RemoteFilePath") |
| 226 | input: |
| 227 | imudp: |
| 228 | port: 10514 |
| 229 | ruleset: remote10514 |
Pavel Cizinsky | ec78462 | 2018-12-12 12:03:12 +0100 | [diff] [blame^] | 230 | |
| 231 | |
teoyaomiqui | 5f07430 | 2017-04-11 15:03:55 +0300 | [diff] [blame] | 232 | |
Swann Croiset | d88acef | 2017-03-16 09:17:55 +0100 | [diff] [blame] | 233 | Support metadata |
| 234 | ================ |
| 235 | |
| 236 | If the *heka* support metadata is enabled, all output files are automatically |
| 237 | parsed by the **log_collector** service. |
| 238 | To skip the log_collector configuration, set the **skip_log_collector** to true. |
| 239 | |
| 240 | .. code-block:: yaml |
| 241 | |
| 242 | rsyslog: |
| 243 | output: |
| 244 | file: |
| 245 | /var/log/your-app.log: |
| 246 | filter: "if $programname startswith 'your-app' then" |
| 247 | skip_log_collector: true |
jan kaufman | 28d7d89 | 2015-12-04 21:36:59 +0100 | [diff] [blame] | 248 | |
| 249 | Read more |
| 250 | ========= |
| 251 | |
| 252 | http://www.rsyslog.com/ |
| 253 | https://wiki.gentoo.org/wiki/Rsyslog |
| 254 | https://github.com/saz/puppet-rsyslog |