Linux Rsyslog

Rsyslog monitors all logs available in the Linux systems.

Forwarding all logs to a Logmanager server

Create the configuration file /etc/rsyslog.d/lm_all.conf

Insert the following code into it:

$ModLoad imuxsock # local message reception
$ActionQueueType LinkedList # use asynchronous processing
# set file name, also enables disk mode,
# this value must be unique inside all configs
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
# max limit the number of messages that queue can contain
$ActionQueueSize 10000
$ActionQueueMaxFileSize 10M # limit the size of queue buffer on disk

*.* @@<Logmanager_IP_address>:514

Activate the configuration using this command:
```
service rsyslog restart
```

Alternative Rsyslog Settings via TLS syslog

First you need to install the package rsyslog-gnutls, then enter the command:

Debian

sudo apt-get install rsyslog-gnutls

CentOS

sudo yum install rsyslog-gnutls

Copy the public CA certificate to the server (in format .crt) and save it for example to /etc/ssl/certs/ca-certifikat.crt
Create a file /etc/rsyslog.d/lm-forward_tls.conf

Paste the following code into it:

$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certifikát.crt
action(type="omfwd"
   protocol="tcp"
   target="<Logmanager_IP_address>"
   port="6514
   StreamDriver="gtls"
   StreamDriverMode="1"
   StreamDriverAuthMode="x509/name"
   StreamDriverPermittedPeers="<hostname/IP address in CN of certificate>"
)

To activate the settings, restart the Rsyslog service by using this command:
```
sudo service rsyslog restart
```

File with logs

Rsyslog provides the ability to send any log files into Logmanager.

One file monitoring

The following sample monitors one log file.

Create the configuration file /etc/rsyslog.d/file1.conf

Insert the following code into it:

$ActionQueueType LinkedList # use asynchronous processing
# set file name, also enables disk mode,
# this value must be unique inside all configs
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
# max limit the number of messages that queue can contain
$ActionQueueSize 10000
$ActionQueueMaxFileSize 10M # limit the size of queue buffer on disk
$ModLoad imfile # needs to be done just once

# File 1
$InputFileName /var/log/file1 # path to log file
$InputFileTag tag1: # identification of process
$InputFileStateFile stat-file1

$InputFileSeverity error # severity level
$InputFileFacility local7 # facility level
$InputRunFileMonitor

if $programname == 'tag1' then @@<Logmanager_IP_address>:514

Activate the configuration using this command:
```
service rsyslog restart
```

Multiple file monitoring

The following sample monitors two log files.

Create the configuration file /etc/rsyslog.d/files.conf

Insert the following code into it:

$ActionQueueType LinkedList # use asynchronous processing
# set file name, also enables disk mode,
# this value must be unique inside all configs
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
# max limit the number of messages that queue can contain
$ActionQueueSize 10000
$ActionQueueMaxFileSize 10M # limit the size of queue buffer on disk
$ModLoad imfile # needs to be done just once

# File 1
$InputFileName /var/log/file1 # path to log file 1
$InputFileTag tag1: # identification of process
$InputFileStateFile stat-file1

$InputFileSeverity error # severity level
$InputFileFacility local7 # facility level
$InputRunFileMonitor

if $programname == 'tag1' then @@<Logmanager_IP_address>:514


# File 2
$InputFileName /path/to/file2 # path to log file 2
$InputFileTag tag2: # identification of process
$InputFileStateFile stat-file2

$InputRunFileMonitor

# Only entered once in case of following multiple files
# This will poll the file every 10 seconds
$InputFilePollingInterval 10

if $programname == 'tag2' then @@<Logmanager_IP_address>:514

Activate the configuration using this command:
```
service rsyslog restart
```

One service monitoring

Create the configuration file /etc/rsyslog.d/lm_<program_name>.conf

Insert the following code into it:

$ModLoad imuxsock # local message reception
$ActionQueueType LinkedList # use asynchronous processing
# set file name, also enables disk mode,
# this value must be unique inside all configs
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
# max limit the number of messages that queue can contain
$ActionQueueSize 10000
$ActionQueueMaxFileSize 10M # limit the size of queue buffer on disk

if $programname == '<program_name>' then @@<Logmanager_IP_address>:514

Activate the configuration using this command:
```
service rsyslog restart
```

Facility and severity monitoring

Create the configuration file /etc/rsyslog.d/lm_<facility>.conf

Insert the following code into it:

$ModLoad imuxsock # local message reception
$ActionQueueType LinkedList # use asynchronous processing
# set file name, also enables disk mode,
# this value must be unique inside all configs
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
# max limit the number of messages that queue can contain
$ActionQueueSize 10000
$ActionQueueMaxFileSize 10M # limit the size of queue buffer on disk

# monitor only severity info:
*.=info     @@<Logmanager_IP_address>:514

# or monitor severity info and higher
*.info     @@<Logmanager_IP_address>:514

# or monitor specific severity and facility
mail.=info     @@<Logmanager_IP_address>:514

Activate the configuration using this command:
```
service rsyslog restart
```

RELP

RELP (Reliable Event Logging Protocol) extends the functionality of the syslog protocol to provide reliable delivery of event messages. It is highly suggested to use RELP instead of plain syslog format.

Settings for use of RELP

All above stated command remain valid. Just follow these steps:

Add this row to the configuration files:
```
$ModLoad omrelp
```
Replace this term in configuration:
```
@@<Logmanager_IP_address>:514
```
by a new term:
```
:omrelp:<Logmanager_IP_address>:20514
```
Logmanager_IP_address is the IP address of your Logmanager server.
Activate the configuration using this command:
```
service rsyslog restart
```

Complete sample of RELP use

$ModLoad omrelp # use RELP
$ModLoad imuxsock # local message reception
$ActionQueueType LinkedList # use asynchronous processing

# set file name, also enables disk mode,

# this value must be unique inside all configs

$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

# max limit the number of messages that queue can contain

$ActionQueueSize 10000
$ActionQueueMaxFileSize 10M # limit the size of queue buffer on disk

*.* :omrelp:<Logmanager_IP_address>:20514

Settings to use RELP with secured TLS

We will show you, how to use simple TLS encryption with the RELP protocol for sending syslog messages.

The configuration for the client is relatively simple, just follow these steps:

Add this row to the configuration files:
```
$ModLoad omrelp
```
Replace this term in configuration:
```
@@<Logmanager_IP_address>:514
```
By a new term:
```
action(type="omrelp" target="<Logmanager_IP_address>" port="20515" tls="on")
```
Logmanager_IP_address is the IP address of your Logmanager server.
Activate the configuration with command:
```
service rsyslog restart
```