Difference between revisions of "Rsyslog"

From ArchWiki
Jump to: navigation, search
Line 1: Line 1:
[[Category:Security (English)]]
[[Category:Daemons and system services]]
[[Category:Daemons and system services]]
{{Lowercase title}}
{{Lowercase title}}

Revision as of 18:31, 23 April 2012

rsyslog is an alternative logger to syslog-ng and offers many benefits over syslog-ng. rsyslog is also the default logger for the latest versions of Red Hat Enterprise Linux, as well as many other Linux distributions. Many of rsyslog's benefits over syslog-ng can be found here: [1].


install the rsyslog package which is available in the official repositories.

Activation under DAEMONS array

Then start rsyslog and stop syslog-ng (unless for some strange reason you want 2 log daemons running):

/etc/rc.d/rsyslogd start
/etc/rc.d/syslog-ng stop

Finally, add rsyslogd to the DAEMONS array in your /etc/rc.conf, and disable/remove syslog-ng:

DAEMONS=( ... !syslog-ng rsyslogd ... )

Now you have migrated over to rsyslog!

Activation under systemd

After installing rsyslog, systemd will need to know about the service file packaged with rsyslog:

 # systemctl daemon-reload

Then, enable the new service and disable your old logger (assuming syslog-ng here):

 # systemctl enable rsyslog.service
 # systemctl disable syslog-ng.service
 # systemctl stop syslog-ng.service
 # systemctl start rsyslog.service

Configuring hostname

Rsyslog uses the glibc routine gethostname() or gethostbyname() to determine the hostname of the local machine. The gethostname() or gethostbyname() routine check the contents of /etc/hosts for the fully qualified domain name (FQDN) if you are not using BIND or NIS.

You can check what the local machine's currently configured FQDN is by running hostname --fqdn. The output of hostname --short will be used by rsyslog when writing log messages.

The /etc/hosts file contains a number of lines that map FQDNs to IP addresses and that map aliases to FQDNs. See the example /etc/hosts file below:

#<ip-address>	<hostname.domain.org>	<hostname>
#<ip-address>      <actual FQDN>                       <aliases>	localhost.localdomain somehost.localdomain	localhost somehost
::1		        localhost.localdomain somehost.localdomain	localhost somehost

localhost.localdomain is the first item following the IP address, so gethostbyname() function will return localhost.localdomain as the local machine's FQDN. Then /var/log/messages file will use localhost as hostname.

To use somehost as the hostname. Move somehost.localdomain to the first item:

#<ip-address>	<hostname.domain.org>	                        <hostname>
#<ip-address>      <actual FQDN>                                              <aliases>	somehost.localdomain localhost.localdomain	localhost somehost
::1		        somehost.localdomain localhost.localdomain 	localhost somehost