From 1f22be2e6677e29ca4c4a3b7d596cc86ce46fd0f Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 5 May 2009 14:12:31 +0200 Subject: [PATCH] rsyslog: Accept and log entries from all other vservers. This logs all entries to /data, separated per host and per facility, severity or application. There is also one big logfile for all entries, for use by logcheck. All of these files are lograted daily and kept forever (except for the big contains-everything logfile, which is thrown away after a day when logcheck should be done with it). --- etc/logrotate.d/rsyslog-central | 35 +++++++++++++++++++++++++++++++++ etc/rsyslog.conf | 33 +++++++++++++++++++++++++------ 2 files changed, 62 insertions(+), 6 deletions(-) create mode 100644 etc/logrotate.d/rsyslog-central diff --git a/etc/logrotate.d/rsyslog-central b/etc/logrotate.d/rsyslog-central new file mode 100644 index 0000000..4da5cde --- /dev/null +++ b/etc/logrotate.d/rsyslog-central @@ -0,0 +1,35 @@ +# This file describes the rotation of the centralized log files in /data, from +# all vservers. + +/data/log/rsyslog/*/*/*.log +{ + # Never throw away logfiles for now + rotate 999999 + # Rotate daily + daily + # Compress rotated files + compress + # Use the rotation date as an extension + dateext + # Reload rsyslog after rotation, but only once for all scripts + sharedscripts + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript + # Put the rotated logs in a separate dir + # Disabled, since logrotate insists these directories exist before + # rotation (and even before running scripts...) + # olddir archive +} + +# This logfile is mostly used for quick lookups of recent events and for +# logcheck to parse. So we only keep one rotated version. Logcheck should be +# able to handle the rotation gracefully this way. +/data/log/rsyslog/all.log +{ + rotate 1 + daily + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index af42506..1fb94a7 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -11,6 +11,8 @@ $ModLoad imuxsock # provides support for local system logging $ModLoad immark # provides --MARK-- message capability $MarkMessagePeriod 900 # mark messages appear every 15 Minutes +$ModLoad imtcp +$InputTCPServerRun 514 # Accept TCP connections on the default syslog port ########################### #### GLOBAL DIRECTIVES #### @@ -35,12 +37,36 @@ $DirCreateMode 0755 # $IncludeConfig /etc/rsyslog.d/*.conf +######################## +#### Remote logging #### +######################## + +# Log lines received from other servers (as well as our own logs) centrally. +$template FacilityLog,"/data/log/rsyslog/%hostname%/facilities/%syslogfacility-text%.log" +$template SeverityLog,"/data/log/rsyslog/%hostname%/severities/%syslogseverity-text%.log" +$template AppLog,"/data/log/rsyslog/%hostname%/apps/%app-name%.log" +$template AllLog,"/data/log/rsyslog/all.log" + +# Use a verbose logging format +$template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" + +# Log by facility, severity and appname +*.* ?FacilityLog;LogFormat +*.* ?SeverityLog;LogFormat +*.* ?AppLog;LogFormat +# Log all entries in a single file, which is meant to be parsed by logcheck +# (hence the traditional format). +*.* ?AllLog;RSYSLOG_TraditionalFileFormat ####################### #### Local logging #### ####################### -# +# Discard all log entries not locally generated. Newer versions of rsyslogd +# have the $fromhost-ip property which can be checked against 127.0.0.1, which +# is probably slightly more reliable, but this will work for now. +if $fromhost != 'log' then ~ + # Log each facility into its own log auth,authpriv.* /var/log/rsyslog/auth.log cron.* -/var/log/rsyslog/user.log @@ -75,8 +101,3 @@ local0,local1,local2,\ # *.emerg * -######################## -#### Remote logging #### -######################## - -# No use to send ourselvers logs -- 2.30.2