From 3268a4c3db16f4c587c204021d9e3dfb42372471 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 3 Oct 2011 18:13:57 +0200 Subject: [PATCH 01/16] nslcd: Add working configuration files. This adds the configuration files neede to talk to the LDAP server running at "ldap.local", using the NSS schema. --- etc/nslcd.conf | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 etc/nslcd.conf diff --git a/etc/nslcd.conf b/etc/nslcd.conf new file mode 100644 index 0000000..15e1bf4 --- /dev/null +++ b/etc/nslcd.conf @@ -0,0 +1,29 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ldap://ldap.local + +# The search base that will be used for all queries. +base passwd ou=Persons,dc=tika,dc=stderr,dc=nl +base shadow ou=Persons,dc=tika,dc=stderr,dc=nl +base group ou=Groups,dc=tika,dc=stderr,dc=nl + +filter passwd (objectClass=maroesjaSystemIdentity) +filter shadow (objectClass=maroesjaSystemIdentity) +filter group (objectClass=maroesjaSystemGroup) + +# Note that this uses maroesjaSystemLoginIdentity instead of +# maroesjaSystemIdentity above. This is important, since maroesjaSystemIdenties +# should show up in NSS, but should not be allowed to authenticate. They'll +# probably miss other attributes too, like host or uidNumber, but this makes +# sure they can never login. +pam_authz_search (&(objectClass=maroesjaSystemLoginIdentity)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))) + +# This is needed with nss-pam-ldapd before 0.8.4 +#map group uniqueMember member -- 2.30.2 From 7002986cc9f43f45fe8ddc3bd8733261aeb5ffc9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 3 Oct 2011 18:16:47 +0200 Subject: [PATCH 02/16] nss: Use libnss-ldapd for user and group lookups. --- etc/nsswitch.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/nsswitch.conf b/etc/nsswitch.conf index 6886def..f431ccc 100644 --- a/etc/nsswitch.conf +++ b/etc/nsswitch.conf @@ -4,9 +4,9 @@ # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. -passwd: compat -group: compat -shadow: compat +passwd: compat ldap +group: compat ldap +shadow: compat ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files -- 2.30.2 From e49d2e87d702e4ef87d018bbc71c10448d4dc3b4 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 12:18:30 +0100 Subject: [PATCH 03/16] nslcd: Update configuration for 0.7.x. We previously upgraded to the 0.8.4 testing version, to fix a segfault. It now seems that this segfault no longer occurs in 0.7.15+squeeze1, so we downgraded again. This needs a small configuration change, since 0.8.4 uses the "member" attribute instead of "uniqueMember". --- etc/nslcd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/nslcd.conf b/etc/nslcd.conf index 15e1bf4..afaccd6 100644 --- a/etc/nslcd.conf +++ b/etc/nslcd.conf @@ -26,4 +26,4 @@ filter group (objectClass=maroesjaSystemGroup) pam_authz_search (&(objectClass=maroesjaSystemLoginIdentity)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))) # This is needed with nss-pam-ldapd before 0.8.4 -#map group uniqueMember member +map group uniqueMember member -- 2.30.2 From f0a96880c0310f312ad7c08653178cdeedf69c6d Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 19:13:03 +0100 Subject: [PATCH 04/16] nslcd: Set rootpwmoddn so root can change ldap passwords. --- etc/nslcd.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/nslcd.conf b/etc/nslcd.conf index afaccd6..19c3cfb 100644 --- a/etc/nslcd.conf +++ b/etc/nslcd.conf @@ -27,3 +27,7 @@ pam_authz_search (&(objectClass=maroesjaSystemLoginIdentity)(uid=$username)(|(ho # This is needed with nss-pam-ldapd before 0.8.4 map group uniqueMember member + +# When root wants to change the password of an LDAP user, do a bind as this +# user (the password will be prompted) +rootpwmoddn cn=admin,dc=tika,dc=stderr,dc=nl -- 2.30.2 From db893de87844a32d12a67bc1077af3d89ba002c3 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 19:23:40 +0100 Subject: [PATCH 05/16] pam: Add complete configuration. This configuration mixes local users and ldap users. This is a completely custom configuration, so the Debian's default configuration (managed with pam-auth-update) is completely removed. --- etc/pam.d/atd | 7 +++++++ etc/pam.d/common-account | 17 +++++++++++++++++ etc/pam.d/common-auth | 11 +++++++++++ etc/pam.d/common-ldap | 37 +++++++++++++++++++++++++++++++++++++ etc/pam.d/common-password | 9 +++++++++ etc/pam.d/common-session | 18 ++++++++++++++++++ etc/pam.d/cron | 11 +++++++++++ etc/pam.d/login | 19 +++++++++++++++++++ etc/pam.d/other | 13 +++++++++++++ etc/pam.d/passwd | 5 +++++ etc/pam.d/sshd | 18 ++++++++++++++++++ etc/pam.d/su | 9 +++++++++ etc/pam.d/sudo | 7 +++++++ 13 files changed, 181 insertions(+) create mode 100644 etc/pam.d/atd create mode 100644 etc/pam.d/common-account create mode 100644 etc/pam.d/common-auth create mode 100644 etc/pam.d/common-ldap create mode 100644 etc/pam.d/common-password create mode 100644 etc/pam.d/common-session create mode 100644 etc/pam.d/cron create mode 100644 etc/pam.d/login create mode 100644 etc/pam.d/other create mode 100644 etc/pam.d/passwd create mode 100644 etc/pam.d/sshd create mode 100644 etc/pam.d/su create mode 100644 etc/pam.d/sudo diff --git a/etc/pam.d/atd b/etc/pam.d/atd new file mode 100644 index 0000000..311e440 --- /dev/null +++ b/etc/pam.d/atd @@ -0,0 +1,7 @@ +# +# The PAM configuration file for the at daemon +# + +@include common-auth +@include common-account +@include common-session diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account new file mode 100644 index 0000000..cc1157f --- /dev/null +++ b/etc/pam.d/common-account @@ -0,0 +1,17 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files. + +# pam_unix does general checks based on NSS info, so it also works for both +# local and ldap users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute). Passing minimum_uid makes it work only for non-local users +# (checking this based on the uid is not really elegant, but there is no +# perfect way to do this anyway). We pass ignore_unknown_user to make the +# module return 'ignore' instead of 'user_unknown' for local users, which gets +# handled by 'required' properly (without having to specify a verbose custom +# thing). +account required pam_ldap.so ignore_unknown_user minimum_uid=1000 diff --git a/etc/pam.d/common-auth b/etc/pam.d/common-auth new file mode 100644 index 0000000..d034284 --- /dev/null +++ b/etc/pam.d/common-auth @@ -0,0 +1,11 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files. + +# Allow both local and ldap logins. +auth sufficient pam_unix.so nullok_secure + +auth sufficient pam_ldap.so use_first_pass + +auth required pam_deny.so diff --git a/etc/pam.d/common-ldap b/etc/pam.d/common-ldap new file mode 100644 index 0000000..3ba453b --- /dev/null +++ b/etc/pam.d/common-ldap @@ -0,0 +1,37 @@ +# /etc/pam.d/common-ldap - settings for ldap +# +# This file setups up auth for ldap users, but account, session and password +# for all users. +# +# This file is included from other service-specific PAM config files and +# contains the modules needed to get ldap users for all four sections. + + +# Do authentication for LDAP users +auth required pam_ldap.so + +# pam_unix does general checks based on NSS info, so it also works for ldap +# users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute) but needs to be ignored when it does not know about a user. +account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \ + pam_ldap.so + + +password sufficient pam_unix.so obscure sha512 +password sufficient pam_ldap.so +password required pam_deny.so + +# Set resource limits from /etc/security/limits.conf +session required pam_limits.so + +# Write logins to syslog +session required pam_unix.so + +# Tell pam_ldap about sessions as well, though it does not currently do +# anything. +session required pam_ldap.so + +#session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam.d/common-password b/etc/pam.d/common-password new file mode 100644 index 0000000..078093e --- /dev/null +++ b/etc/pam.d/common-password @@ -0,0 +1,9 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files. + + +# Use pam_unix for local users, pam_ldap otherwise. +password sufficient pam_unix.so obscure sha512 debug +password required pam_ldap.so debug diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session new file mode 100644 index 0000000..8f4eaa6 --- /dev/null +++ b/etc/pam.d/common-session @@ -0,0 +1,18 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files. + +session required pam_limits.so + +# Write logins to syslog +session required pam_unix.so + +# Tell pam_ldap about sessions as well, though it does not currently do +# anything. +session required pam_ldap.so + +# Load locale variables +session required pam_env.so envfile=/etc/default/locale + +#session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam.d/cron b/etc/pam.d/cron new file mode 100644 index 0000000..9df4905 --- /dev/null +++ b/etc/pam.d/cron @@ -0,0 +1,11 @@ +# +# The PAM configuration file for the cron daemon +# + +# cron uses pam_set_cred so it needs a working auth section. It does not do +# any other real authentication. +@include common-auth + +@include common-account + +@include common-session diff --git a/etc/pam.d/login b/etc/pam.d/login new file mode 100644 index 0000000..7f15a0f --- /dev/null +++ b/etc/pam.d/login @@ -0,0 +1,19 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Standard Un*x authentication. +@include common-auth + +# Standard Un*x authorization. +@include common-account + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# Standard Un*x password updating (not sure if login actually uses this, but +# well...) +@include common-password diff --git a/etc/pam.d/other b/etc/pam.d/other new file mode 100644 index 0000000..804cc35 --- /dev/null +++ b/etc/pam.d/other @@ -0,0 +1,13 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +# if /etc/pam.d/cron specifies no session modules but cron calls +# pam_open_session, the session module out of /etc/pam.d/other is #used. +# +# We deny any pam calls not explicitely allowed elsewhere. + +auth required pam_deny.so +account required pam_deny.so +session required pam_deny.so +password required pam_deny.so diff --git a/etc/pam.d/passwd b/etc/pam.d/passwd new file mode 100644 index 0000000..3cd4c3b --- /dev/null +++ b/etc/pam.d/passwd @@ -0,0 +1,5 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +@include common-password diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd new file mode 100644 index 0000000..adf7c8a --- /dev/null +++ b/etc/pam.d/sshd @@ -0,0 +1,18 @@ +# PAM configuration for the Secure Shell service + +# Standard Un*x authentication. +@include common-auth + +# Standard Un*x authorization. +@include common-account + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so +session required pam_permit.so + +# Standard Un*x password updating (not sure if OpenSSH actually uses this, but +# well...) +@include common-password diff --git a/etc/pam.d/su b/etc/pam.d/su new file mode 100644 index 0000000..3d936f8 --- /dev/null +++ b/etc/pam.d/su @@ -0,0 +1,9 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows (only) root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +@include common-account +@include common-session diff --git a/etc/pam.d/sudo b/etc/pam.d/sudo new file mode 100644 index 0000000..5ad980b --- /dev/null +++ b/etc/pam.d/sudo @@ -0,0 +1,7 @@ +# +# The PAM configuration file for the sudo service +# + +@include common-auth +@include common-account +@include common-session -- 2.30.2 From a3799c2363d102e5c9938889c7cf5f2e25d0bde9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 21:39:10 +0100 Subject: [PATCH 06/16] apt: Add wheezy mirror to sources.list This is needed now for git, possibly for other stuff in the future as well. The default release is already configured to squeeze in apt. --- etc/apt/sources.list | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/apt/sources.list b/etc/apt/sources.list index 726f39b..da21af2 100644 --- a/etc/apt/sources.list +++ b/etc/apt/sources.list @@ -1,3 +1,4 @@ deb http://cdn.debian.net/debian squeeze main +deb http://cdn.debian.net/debian wheezy main deb http://apt.stderr.nl stderr main -- 2.30.2 From cf038970495d0447a4f83d14915b10516bec8f9c Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 11:32:10 +0100 Subject: [PATCH 07/16] pam: Enable pam_mkhomedir for sshd and login. Note that we don't enable pam_mkhomedir in common-session, since there might be users (using the maroesjaSystemIdentity objectclass) that cannot login and do not need a regular homedir. --- etc/pam.d/common-session | 2 -- etc/pam.d/login | 2 ++ etc/pam.d/sshd | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session index 8f4eaa6..be1fadd 100644 --- a/etc/pam.d/common-session +++ b/etc/pam.d/common-session @@ -14,5 +14,3 @@ session required pam_ldap.so # Load locale variables session required pam_env.so envfile=/etc/default/locale - -#session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam.d/login b/etc/pam.d/login index 7f15a0f..cc6c2f0 100644 --- a/etc/pam.d/login +++ b/etc/pam.d/login @@ -13,6 +13,8 @@ # Print the message of the day upon successful login. session optional pam_motd.so # [1] +# Create a homedir for the user, if there is none yet. +session optional pam_mkhomedir.so # Standard Un*x password updating (not sure if login actually uses this, but # well...) diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd index adf7c8a..ecb400c 100644 --- a/etc/pam.d/sshd +++ b/etc/pam.d/sshd @@ -11,7 +11,8 @@ # Print the message of the day upon successful login. session optional pam_motd.so -session required pam_permit.so +# Create a homedir for the user, if there is none yet. +session optional pam_mkhomedir.so # Standard Un*x password updating (not sure if OpenSSH actually uses this, but # well...) -- 2.30.2 From 25579b8cec73aa2504740530db6f4baa6bd987e2 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 13:05:00 +0100 Subject: [PATCH 08/16] bash: Enable colored prompts by default --- etc/bash.bashrc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/bash.bashrc b/etc/bash.bashrc index aa84d91..169413a 100644 --- a/etc/bash.bashrc +++ b/etc/bash.bashrc @@ -28,6 +28,12 @@ PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' # ;; #esac +# Enable colored prompts by default (note that unlike what the name suggests, +# this actually doesn't force anything, but triggers a color-detection snippet +# in ~/.bashrc). Users can override this value (or just throw out the snippet +# or customize the prompt) in their ~/.bashrc as well. +force_color_prompt=yes + # enable bash completion in interactive shells if [ -f /etc/bash_completion ] && ! shopt -oq posix; then . /etc/bash_completion -- 2.30.2 From 2194ef7a81f664d6f4f71cde7696c9cddbcd6ee1 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 14:29:18 +0100 Subject: [PATCH 09/16] pam: Use minimum_uid=2000 instead of 1000 LDAP users now use uids starting at 2000, to prevent confusion with the users in the host and to potentially allow local users to be created in the containers as well, if it's ever needed. --- etc/pam.d/common-account | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account index cc1157f..5f349fb 100644 --- a/etc/pam.d/common-account +++ b/etc/pam.d/common-account @@ -14,4 +14,4 @@ account required pam_unix.so # module return 'ignore' instead of 'user_unknown' for local users, which gets # handled by 'required' properly (without having to specify a verbose custom # thing). -account required pam_ldap.so ignore_unknown_user minimum_uid=1000 +account required pam_ldap.so ignore_unknown_user minimum_uid=2000 -- 2.30.2 From 100cfffe232a905c37f4ca068ed3ba4f39874ce3 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 15:03:37 +0100 Subject: [PATCH 10/16] system: Set nameserver to use Google DNS --- etc/resolv.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/resolv.conf diff --git a/etc/resolv.conf b/etc/resolv.conf new file mode 100644 index 0000000..cae093a --- /dev/null +++ b/etc/resolv.conf @@ -0,0 +1 @@ +nameserver 8.8.8.8 -- 2.30.2 From a83cd79035ac2a16bb255228730eb12024367705 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 15:23:17 +0100 Subject: [PATCH 11/16] bash: Don't enable extended completion twice. It is already enabled in /etc/profile.d/bash_completion.sh, so don't bother doing it again in /etc/bash.bashrc. --- etc/bash.bashrc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/etc/bash.bashrc b/etc/bash.bashrc index 169413a..0834c29 100644 --- a/etc/bash.bashrc +++ b/etc/bash.bashrc @@ -34,11 +34,6 @@ PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' # or customize the prompt) in their ~/.bashrc as well. force_color_prompt=yes -# enable bash completion in interactive shells -if [ -f /etc/bash_completion ] && ! shopt -oq posix; then - . /etc/bash_completion -fi - # if the command-not-found package is installed, use it if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found ]; then function command_not_found_handle { -- 2.30.2 From 24ff3eb2f8428c458cb3670ed442a802f61e1c13 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 16:57:55 +0100 Subject: [PATCH 12/16] rsyslog: Enable remote logging --- etc/rsyslog.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 5dfd304..cc838db 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -101,6 +101,5 @@ $ActionQueueFileName remote $ActionResumeRetryCount -1 # save in-memory data if rsyslog shuts down $ActionQueueSaveOnShutdown on -# Disabled for now -#*.* @@log.local;RSYSLOG_SyslogProtocol23Format +*.* @@log.local;RSYSLOG_SyslogProtocol23Format -- 2.30.2 From bb55af102f9b04f0319d55fb6f7ded2543770cfd Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 16:24:41 +0100 Subject: [PATCH 13/16] rsyslog: Don't do remote logging Since we are the remote log server, don't send out our logs anywhere. --- etc/rsyslog.conf | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index cc838db..9d1aac1 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -86,20 +86,3 @@ local0,local1,local2,\ # Emergencies are sent to everybody logged in. # *.emerg * - -######################## -#### Remote logging #### -######################## - -# Send all log entries to the log vserver, but queue them in memory as well as -# on disk if needed. -# Use a linked list for queueing -$ActionQueueType LinkedList -# Name to use for the queue file -$ActionQueueFileName remote -# infinite retries on insert failure -$ActionResumeRetryCount -1 -# save in-memory data if rsyslog shuts down -$ActionQueueSaveOnShutdown on -*.* @@log.local;RSYSLOG_SyslogProtocol23Format - -- 2.30.2 From 011915ac6513a85cec1583e807cd6b4209ccd6b4 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 16:36:27 +0100 Subject: [PATCH 14/16] rsyslog: Only do local logging for local messages. --- etc/rsyslog.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 9d1aac1..465dce4 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -52,7 +52,11 @@ $MainMsgQueueSaveOnShutdown on #### Local logging #### ####################### -# +# Discard all log entries not locally generated (note that the ~ here is the +# "discard" action, preventing the rules below from bein ran on these messages. +if $fromhost-ip != '127.0.0.1' then ~ + + # Log each facility into its own log auth,authpriv.* /var/log/rsyslog/auth.log cron.* -/var/log/rsyslog/user.log -- 2.30.2 From 1b36496e62f7d883bd9a25f6bfe3e105ae340391 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 16:39:24 +0100 Subject: [PATCH 15/16] rsylog: Accept remote log messages over TCP. --- etc/rsyslog.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 465dce4..fee816c 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -12,6 +12,9 @@ $ModLoad imuxsock # provides support for local system logging $ModLoad immark # provides --MARK-- message capability $MarkMessagePeriod 900 # mark messages appear every 15 Minutes +$ModLoad imtcp +$InputTCPServerRun 514 # Accept TCP connections on the default syslog port + ########################### #### GLOBAL DIRECTIVES #### ########################### -- 2.30.2 From b065d63cb9fde93306451d84cb4064db6a64684d Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 16:43:54 +0100 Subject: [PATCH 16/16] rsyslog: Configure logging all message to /data/log. --- etc/rsyslog.conf | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index fee816c..b2fc2ca 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -51,6 +51,32 @@ $MainMsgQueueFileName main # save in-memory data if rsyslog shuts down $MainMsgQueueSaveOnShutdown on +######################## +#### Remote logging #### +######################## + +# Log lines received from other servers (as well as our own logs) centrally. +$template HostFacilityLog,"/data/log/rsyslog/hosts/%fromhost%/facilities/%syslogfacility-text%.log" +$template HostSeverityLog,"/data/log/rsyslog/hosts/%fromhost%/severities/%syslogseverity-text%.log" +$template HostAppLog,"/data/log/rsyslog/hosts/%fromhost%/apps/%app-name%.log" + +# Use a verbose logging format +$template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" + +# Log by facility, severity and appname +*.* ?HostFacilityLog;LogFormat +*.* ?HostSeverityLog;LogFormat +*.* ?HostAppLog;LogFormat +# Log all entries in a single file, which is meant to be parsed by logcheck +# (hence the traditional format). +*.* -/data/log/rsyslog/all.log;RSYSLOG_TraditionalFileFormat + +# Debugging format. Based on RSYSLOG_DebugFormat, available in later versions +# of rsyslogd, with some variations. +$template DebugFormat,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%', syslogtag: '%syslogtag%'\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n" +# Uncomment this to have detailed logging for debugging +#*.* -/data/log/rsyslog/debug.log;DebugFormat + ####################### #### Local logging #### ####################### -- 2.30.2