Difference between revisions of "Rsyslog"

From ArchWiki
Jump to: navigation, search
m (journald with rsyslog for kernel messages: typo in pkg name)
m (add ja link)
 
(29 intermediate revisions by 11 users not shown)
Line 1: Line 1:
 +
{{Lowercase title}}
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:Daemons and system services]]
 
[[Category:Daemons and system services]]
{{Lowercase title}}
+
[[ja:Rsyslog]]
 +
{{Related articles start}}
 +
{{Related|syslog-ng}}
 +
{{Related articles end}}
  
rsyslog is an alternative logger to [[syslog-ng]] and offers many benefits over syslog-ng. rsyslog is also the default logger for the latest versions of Red Hat Enterprise Linux, as well as many other Linux distributions. Many of rsyslog's benefits over syslog-ng can be found [http://www.rsyslog.com/doc-rsyslog_ng_comparison.html here].
+
{{Poor writing|citing a 6 year old document. "It was unmaintained for several years and contained false information". Also numerous [[Help:Style]] issues.}}
 +
 
 +
[http://www.rsyslog.com/ rsyslog] is an alternate logger to [[syslog-ng]] and offers many benefits over [[syslog-ng]].
  
 
== Installation ==
 
== Installation ==
[[pacman|install]] the {{Pkg|rsyslog}} package which is available in the [[Official Repositories|official repositories]].
+
 
 +
{{Note|It is recommended to disable and uninstall the {{Pkg|syslog-ng}} package to prevent possible conflicts.}}
 +
 
 +
[[Install]] the {{Pkg|rsyslog}} package.
 +
 
 +
=== Starting service ===
 +
 
 +
{{Poor writing|This belongs in an {{ic|.install}} file and should be reported accordingly}}
 +
 
 +
You can [[start/enable]] the {{Pkg|rsyslog}} service after installation.
  
 
=== Configure Hostname ===
 
=== Configure Hostname ===
 +
 
Rsyslog uses the {{Pkg|glibc}} routine {{ic|gethostname()}} or {{ic|gethostbyname()}} to determine the hostname of the local machine. The {{ic|gethostname()}} or {{ic|gethostbyname()}} routine check the contents of {{ic|/etc/hosts}} for the fully qualified domain name (FQDN) if you are not using [[BIND]] or [[NIS]].
 
Rsyslog uses the {{Pkg|glibc}} routine {{ic|gethostname()}} or {{ic|gethostbyname()}} to determine the hostname of the local machine. The {{ic|gethostname()}} or {{ic|gethostbyname()}} routine check the contents of {{ic|/etc/hosts}} for the fully qualified domain name (FQDN) if you are not using [[BIND]] or [[NIS]].
  
Line 14: Line 30:
  
 
The {{ic|/etc/hosts}} file contains a number of lines that map FQDNs to IP addresses and that map aliases to FQDNs. See the example {{ic|/etc/hosts}} file below:
 
The {{ic|/etc/hosts}} file contains a number of lines that map FQDNs to IP addresses and that map aliases to FQDNs. See the example {{ic|/etc/hosts}} file below:
 +
 
{{hc|/etc/hosts|<nowiki>
 
{{hc|/etc/hosts|<nowiki>
 
#<ip-address> <hostname.domain.org> <hostname>
 
#<ip-address> <hostname.domain.org> <hostname>
Line 24: Line 41:
  
 
To use '''somehost''' as the hostname. Move '''somehost.localdomain''' to the first item:
 
To use '''somehost''' as the hostname. Move '''somehost.localdomain''' to the first item:
 +
 
{{hc|/etc/hosts|<nowiki>
 
{{hc|/etc/hosts|<nowiki>
 
#<ip-address> <hostname.domain.org>                         <hostname>
 
#<ip-address> <hostname.domain.org>                         <hostname>
Line 31: Line 49:
 
</nowiki>}}
 
</nowiki>}}
  
=== Activation ===
+
== Configuration ==
After installing {{Pkg|rsyslog}}, [[systemd]] will need to know about the service file packaged with {{Pkg|rsyslog}}:
+
  # systemctl daemon-reload
+
  
Disable your old logger, (usually [[syslog-ng]]), then enable and start the new service:
+
The {{Pkg|rsyslog}} doesn't create its working directory {{ic|/var/spool/rsyslog}} defined by the {{ic|$WorkDirectory}} variable in the configuration file. You might need to create it manually or change its destination.
# systemctl {disable|stop} syslog-ng
+
# systemctl {enable|start} rsyslog
+
  
== Configuration ==
 
 
Log output can be fine tuned in {{ic|/etc/rsyslog.conf}}. The daemon uses Facility levels (see below) to determine what gets put where. For example:
 
Log output can be fine tuned in {{ic|/etc/rsyslog.conf}}. The daemon uses Facility levels (see below) to determine what gets put where. For example:
 +
 
{{hc|/etc/rsyslog.conf|
 
{{hc|/etc/rsyslog.conf|
 
# The authpriv file has restricted access.
 
# The authpriv file has restricted access.
 
authpriv.*                                              /var/log/secure
 
authpriv.*                                              /var/log/secure
 
}}
 
}}
 +
 
States that all messages falling under the '''authpriv''' facility are logged to {{ic|/var/log/secure}}.
 
States that all messages falling under the '''authpriv''' facility are logged to {{ic|/var/log/secure}}.
  
Another example, which would be similar to {{ic|syslog-ng}}s behavior for the old {{ic|auth.log}}:
+
Another example, which would be similar to the behaviour of ''syslog-ng'' for the old {{ic|auth.log}}:
 +
 
 
{{hc|/etc/rsyslog.conf|
 
{{hc|/etc/rsyslog.conf|
 
auth.*                                                  -/var/log/auth
 
auth.*                                                  -/var/log/auth
 
}}
 
}}
 +
 +
=== See also ===
 +
[http://www.rsyslog.com/doc/rsyslog_conf.html Structure of the rsyslog.conf file].
 +
 
=== Facility Levels ===
 
=== Facility Levels ===
 +
 
{{Note|The mapping between Facility Number and Keyword is not uniform over different operating systems and different syslog implementations. Use the keyword where possible, until it is determined which numbers are used by Arch.}}
 
{{Note|The mapping between Facility Number and Keyword is not uniform over different operating systems and different syslog implementations. Use the keyword where possible, until it is determined which numbers are used by Arch.}}
 +
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
Line 105: Line 127:
 
| 23 || local7 || local use 7  (local7)
 
| 23 || local7 || local use 7  (local7)
 
|}
 
|}
===Security Levels===
+
 
 +
=== Security Levels ===
 +
 
 
As defined in [http://tools.ietf.org/html/rfc5424 RFC 5424], there are eight security levels:
 
As defined in [http://tools.ietf.org/html/rfc5424 RFC 5424], there are eight security levels:
  
Line 128: Line 152:
 
| 7 || Debug || debug || Debug-level messages. || Info useful to developers for debugging the application, not useful during operations.
 
| 7 || Debug || debug || Debug-level messages. || Info useful to developers for debugging the application, not useful during operations.
 
|}
 
|}
A common mnemonic used to remember the syslog levels in reverse order: "Do I Notice When Evenings Come Around Early".
 
  
'''See also:''' http://www.rsyslog.com/doc/manual.html
+
{{Tip|A common mnemonic used to remember the syslog levels in reverse order: "Do I Notice When Evenings Come Around Early".}}
  
 
== Examples ==
 
== Examples ==
  
 
=== journald with rsyslog for kernel messages ===
 
=== journald with rsyslog for kernel messages ===
 +
 +
{{Poor writing|Redundant instructions, systemd commands...}}
 +
 
Since the syslog component of systemd, journald, does not flush its logs to disk during normal operation, these logs will be gone when the machine is shut down abnormally (power loss, kernel lock-ups, ...). In the case of kernel lock-ups, it is pretty important to have some kernel logs for debugging. Until journald gains a configuration option for flushing kernel logs, rsyslog can be used in conjunction with journald.
 
Since the syslog component of systemd, journald, does not flush its logs to disk during normal operation, these logs will be gone when the machine is shut down abnormally (power loss, kernel lock-ups, ...). In the case of kernel lock-ups, it is pretty important to have some kernel logs for debugging. Until journald gains a configuration option for flushing kernel logs, rsyslog can be used in conjunction with journald.
  
Line 154: Line 180:
 
# Since rsyslog should operate completely separated from systemd, remove the option that shares a socket with systemd:
 
# Since rsyslog should operate completely separated from systemd, remove the option that shares a socket with systemd:
 
#:{{bc|<nowiki>sed 's/^Sockets=/#&/' /usr/lib/systemd/system/rsyslog.service | sudo tee /etc/systemd/system/rsyslog.service</nowiki>}}
 
#:{{bc|<nowiki>sed 's/^Sockets=/#&/' /usr/lib/systemd/system/rsyslog.service | sudo tee /etc/systemd/system/rsyslog.service</nowiki>}}
# Next, make rsyslog start on boot and start it for this session:
+
# Next, make rsyslog start on boot and start it for this session by [[start]]ing and enabling {{ic|rsyslog.service}}.
#:{{ic|sudo systemctl enable rsyslog.service}}
+
#:{{ic|sudo systemctl start rsyslog.service}}
+
  
 
{{note|rsyslog reads from {{ic|/proc/kmsg}}. This means that subsequent reads from that file (either the user or a syslog daemon) will not read "old" logs from that file anymore. journald is not affected as it reads from {{ic|/dev/kmsg}} which allows multiple readers.}}
 
{{note|rsyslog reads from {{ic|/proc/kmsg}}. This means that subsequent reads from that file (either the user or a syslog daemon) will not read "old" logs from that file anymore. journald is not affected as it reads from {{ic|/dev/kmsg}} which allows multiple readers.}}
 +
 +
== See also ==
 +
 +
* [http://www.rsyslog.com/doc/manual.html Rsyslog manual]
 +
* [http://www.rsyslog.com/doc-rsyslog_ng_comparison.html rsyslog's versus syslog-ng].

Latest revision as of 13:30, 30 November 2015

Related articles

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: citing a 6 year old document. "It was unmaintained for several years and contained false information". Also numerous Help:Style issues. (Discuss in Talk:Rsyslog#)

rsyslog is an alternate logger to syslog-ng and offers many benefits over syslog-ng.

Installation

Note: It is recommended to disable and uninstall the syslog-ng package to prevent possible conflicts.

Install the rsyslog package.

Starting service

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: This belongs in an .install file and should be reported accordingly (Discuss in Talk:Rsyslog#)

You can start/enable the rsyslog service after installation.

Configure Hostname

Rsyslog uses the glibc routine gethostname() or gethostbyname() to determine the hostname of the local machine. The gethostname() or gethostbyname() routine check the contents of /etc/hosts for the fully qualified domain name (FQDN) if you are not using BIND or NIS.

You can check what the local machine's currently configured FQDN is by running hostname --fqdn. The output of hostname --short will be used by rsyslog when writing log messages. If you want to have full hostnames in logs, you need to add $PreserveFQDN on to the beginning of the file (before using any directive that write to files). This is because, rsyslog reads config file and applies it on-the-go and then reads the later lines.

The /etc/hosts file contains a number of lines that map FQDNs to IP addresses and that map aliases to FQDNs. See the example /etc/hosts file below:

/etc/hosts
#<ip-address>	<hostname.domain.org>	<hostname>
#<ip-address>      <actual FQDN>                       <aliases>
127.0.0.1	localhost.localdomain somehost.localdomain	localhost somehost
::1		        localhost.localdomain somehost.localdomain	localhost somehost

localhost.localdomain is the first item following the IP address, so gethostbyname() function will return localhost.localdomain as the local machine's FQDN. Then /var/log/messages file will use localhost as hostname.

To use somehost as the hostname. Move somehost.localdomain to the first item:

/etc/hosts
#<ip-address>	<hostname.domain.org>	                        <hostname>
#<ip-address>      <actual FQDN>                                              <aliases>
127.0.0.1	somehost.localdomain localhost.localdomain	localhost somehost
::1		        somehost.localdomain localhost.localdomain 	localhost somehost

Configuration

The rsyslog doesn't create its working directory /var/spool/rsyslog defined by the $WorkDirectory variable in the configuration file. You might need to create it manually or change its destination.

Log output can be fine tuned in /etc/rsyslog.conf. The daemon uses Facility levels (see below) to determine what gets put where. For example:

/etc/rsyslog.conf
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

States that all messages falling under the authpriv facility are logged to /var/log/secure.

Another example, which would be similar to the behaviour of syslog-ng for the old auth.log:

/etc/rsyslog.conf
auth.*                                                  -/var/log/auth

See also

Structure of the rsyslog.conf file.

Facility Levels

Note: The mapping between Facility Number and Keyword is not uniform over different operating systems and different syslog implementations. Use the keyword where possible, until it is determined which numbers are used by Arch.
Facility Number Keyword Facility Description
0 kern kernel messages
1 user user-level messages
2 mail mail system
3 daemon system daemons
4 auth security/authorization messages
5 syslog messages generated internally by syslogd
6 lpr line printer subsystem
7 news network news subsystem
8 uucp UUCP subsystem
9 clock daemon
10 authpriv security/authorization messages
11 ftp FTP daemon
12 - NTP subsystem
13 - log audit
14 - log alert
15 cron clock daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)

Security Levels

As defined in RFC 5424, there are eight security levels:

Code Severity Keyword Description General Description
0 Emergency emerg (panic) System is unusable. A "panic" condition usually affecting multiple apps/servers/sites. At this level it would usually notify all tech staff on call.
1 Alert alert Action must be taken immediately. Should be corrected immediately, therefore notify staff who can fix the problem. An example would be the loss of a primary ISP connection.
2 Critical crit Critical conditions. Should be corrected immediately, but indicates failure in a primary system, an example is a loss of a backup ISP connection.
3 Error err (error) Error conditions. Non-urgent failures, these should be relayed to developers or admins; each item must be resolved within a given time.
4 Warning warning (warn) Warning conditions. Warning messages, not an error, but indication that an error will occur if action is not taken, e.g. file system 85% full - each item must be resolved within a given time.
5 Notice notice Normal but significant condition. Events that are unusual but not error conditions - might be summarized in an email to developers or admins to spot potential problems - no immediate action required.
6 Informational info Informational messages. Normal operational messages - may be harvested for reporting, measuring throughput, etc. - no action required.
7 Debug debug Debug-level messages. Info useful to developers for debugging the application, not useful during operations.
Tip: A common mnemonic used to remember the syslog levels in reverse order: "Do I Notice When Evenings Come Around Early".

Examples

journald with rsyslog for kernel messages

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Redundant instructions, systemd commands... (Discuss in Talk:Rsyslog#)

Since the syslog component of systemd, journald, does not flush its logs to disk during normal operation, these logs will be gone when the machine is shut down abnormally (power loss, kernel lock-ups, ...). In the case of kernel lock-ups, it is pretty important to have some kernel logs for debugging. Until journald gains a configuration option for flushing kernel logs, rsyslog can be used in conjunction with journald.

Summary of requirements:

  • journald must still get all log messages.
  • rsyslog must only log kernel messages, all other logs are handled by journald.
  • Kernel logs must be logged separatedly to /var/log/kernel.log.
  • Use systemd to start the service.

Installation and configuration steps:

  1. Install rsyslog.
  2. Edit /etc/logrotate.d/rsyslog and add /var/log/kernel.log to the list of logs. Without this modification, the kernel log would grow indefinitely.
  3. Edit /etc/rsyslog.conf and comment everything except for $ModLoad imklog. I also kept $ModLoad immark to have a heart-beat logged.
  4. Add the next line to the same configuration file:
    kern.*     /var/log/kernel.log;RSYSLOG_TraditionalFileFormat
    The kern.* part catches all messages originating from the kernel. ;RSYSLOG_TraditionalFileFormat is used here to use a less verbose date format. By default, a date format like 2013-03-09T19:29:33.103897+01:00 is used. Since the kernel log contains a precision already (printk time) and the actual log time is irrelevant, I prefer something like Mar 9 19:29:13.
  5. Since rsyslog should operate completely separated from systemd, remove the option that shares a socket with systemd:
    sed 's/^Sockets=/#&/' /usr/lib/systemd/system/rsyslog.service | sudo tee /etc/systemd/system/rsyslog.service
  6. Next, make rsyslog start on boot and start it for this session by starting and enabling rsyslog.service.
Note: rsyslog reads from /proc/kmsg. This means that subsequent reads from that file (either the user or a syslog daemon) will not read "old" logs from that file anymore. journald is not affected as it reads from /dev/kmsg which allows multiple readers.

See also