rsyslog: Accept and log entries from all other vservers.

This logs all entries to /data, separated per host and per facility,
severity or application. There is also one big logfile for all entries,
for use by logcheck.

All of these files are lograted daily and kept forever (except for the
big contains-everything logfile, which is thrown away after a day when
logcheck should be done with it).

diff --git a/etc/logrotate.d/rsyslog-central b/etc/logrotate.d/rsyslog-central
new file mode 100644 (file)
index 0000000..4da5cde
--- /dev/null
+++ b/etc/logrotate.d/rsyslog-central
@@ -0,0 +1,35 @@
+# This file describes the rotation of the centralized log files in /data, from
+# all vservers.
+
+/data/log/rsyslog/*/*/*.log
+{
+       # Never throw away logfiles for now
+       rotate 999999
+       # Rotate daily
+       daily
+       # Compress rotated files
+       compress
+       # Use the rotation date as an extension
+       dateext
+       # Reload rsyslog after rotation, but only once for all scripts
+       sharedscripts
+       postrotate
+               invoke-rc.d rsyslog reload > /dev/null
+       endscript
+       # Put the rotated logs in a separate dir
+       # Disabled, since logrotate insists these directories exist before
+       # rotation (and even before running scripts...)
+       # olddir archive
+}
+
+# This logfile is mostly used for quick lookups of recent events and for
+# logcheck to parse. So we only keep one rotated version. Logcheck should be
+# able to handle the rotation gracefully this way.
+/data/log/rsyslog/all.log
+{
+       rotate 1
+       daily
+       postrotate
+               invoke-rc.d rsyslog reload > /dev/null
+       endscript
+}

diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf
index af425069bf06d8d786aa77f18bbc0d5d9996cd60..1fb94a79503bd0f7baffa30f74adba2170dbe213 100644 (file)
--- a/etc/rsyslog.conf
+++ b/etc/rsyslog.conf
@@ -11,6 +11,8 @@
 $ModLoad imuxsock # provides support for local system logging
 $ModLoad immark   # provides --MARK-- message capability
 $MarkMessagePeriod  900 # mark messages appear every 15 Minutes
+$ModLoad imtcp
+$InputTCPServerRun 514 # Accept TCP connections on the default syslog port
 
 ###########################
 #### GLOBAL DIRECTIVES ####
@@ -35,12 +37,36 @@ $DirCreateMode 0755
 #
 $IncludeConfig /etc/rsyslog.d/*.conf
 
+########################
+#### Remote logging ####
+########################
+
+# Log lines received from other servers (as well as our own logs) centrally.
+$template FacilityLog,"/data/log/rsyslog/%hostname%/facilities/%syslogfacility-text%.log"
+$template SeverityLog,"/data/log/rsyslog/%hostname%/severities/%syslogseverity-text%.log"
+$template AppLog,"/data/log/rsyslog/%hostname%/apps/%app-name%.log"
+$template AllLog,"/data/log/rsyslog/all.log"
+
+# Use a verbose logging format
+$template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
+
+# Log by facility, severity and appname
+*.*                            ?FacilityLog;LogFormat
+*.*                            ?SeverityLog;LogFormat
+*.*                            ?AppLog;LogFormat
+# Log all entries in a single file, which is meant to be parsed by logcheck
+# (hence the traditional format).
+*.*                            ?AllLog;RSYSLOG_TraditionalFileFormat
 
 #######################
 #### Local logging ####
 #######################
 
-#
+# Discard all log entries not locally generated. Newer versions of rsyslogd
+# have the $fromhost-ip property which can be checked against 127.0.0.1, which
+# is probably slightly more reliable, but this will work for now.
+if $fromhost != 'log' then ~
+
 # Log each facility into its own log
 auth,authpriv.*                        /var/log/rsyslog/auth.log
 cron.*                         -/var/log/rsyslog/user.log
@@ -75,8 +101,3 @@ local0,local1,local2,\
 #
 *.emerg                                *
 
-########################
-#### Remote logging ####
-########################
-
-# No use to send ourselvers logs