Rsyslog: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 1: | Zeile 1: | ||
| − | + | *[[Rsyslog Grundlagen]] | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
=Seine wichtigsten System-Dateien sind= | =Seine wichtigsten System-Dateien sind= | ||
Version vom 12. Mai 2022, 15:12 Uhr
Seine wichtigsten System-Dateien sind
- /etc/default/rsyslog
- /etc/init.d/rsyslog - Symlink zum Upstart-Initskript (siehe nächster Punkt)
- /etc/init/rsyslog.conf
- /etc/rsyslog.conf
- /etc/rsyslog.d/50-default.conf - die zentrale Konfigurationsdatei
- /usr/sbin/rsyslogd - die Programmdatei
Konfigdateien
- /etc/rsyslog.conf
module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support $KLogPermitNonKernelFacility on $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog $WorkDirectory /var/spool/rsyslog $IncludeConfig /etc/rsyslog.d/*.conf
/etc/rsyslog.d/50-default.conf
Die Datei 50-default.conf ist kompatible mit der syslog.conf
auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog kern.* -/var/log/kern.log mail.* -/var/log/mail.log mail.err /var/log/mail.err news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice *.emerg :omusrmsg:* daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole
systemctl status rsyslog.service
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mo 2016-09-05 09:47:26 CEST; 2h 23min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 3193 (rsyslogd)
Tasks: 4 (limit: 512)
CGroup: /system.slice/rsyslog.service
└─3193 /usr/sbin/rsyslogd -n
Sep 05 09:47:25 bajor.xinux.org systemd[1]: Starting System Logging Service...
Sep 05 09:47:26 bajor.xinux.org systemd[1]: Started System Logging Service.
Udp Port in rsyslog.conf öffnen
#provides UDP syslog reception module(load="imudp") input(type="imudp" port="514")
Tcp Port in rsyslog.conf öffnen
#provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514")
Logger
- echo "Dies ist eine Meldung" | logger -p local3.warn
- tail -f -n 1 /var/log/syslog
Sep 5 13:19:03 bajor root: Dies ist eine Meldung
Eigene Regeln
Einfache Regeln
Programname
- Logfile for tftpd
if $programname == 'in.tftpd' then /var/log/tftpd.log
facility-text
- 60-meinlog.conf
if $syslogfacility-text == 'local3' then /var/log/meinelog
- systemctl restart rsyslog.service
- echo "Hallo Welt" | logger -p local3.warn
- tail -n 1 -f /var/log/meinelog
Sep 5 14:21:04 bajor root: Hallo Welt
contains
Prevent rsyslog logging to /var/log/syslog
- 10-iptables.conf
if $msg contains '-iptables-' then /var/log/firewall & ~
expressions in parenthesis
- not, unary minus
- *, /, % (modulus, as in C)
- +, -, & (string concatenation)
- ==, !=, <>, <, >, <=, >=, contains (strings!), startswith (strings!)
- and
- or
legacy rsyslog
Beginnen mit einem $-Zeichen. Zum Setzen von Konfigurationsparametern.
$FileOwner syslog
RainerScript
Neues Format.
Generator für eine Konfigurationsdatei: http://www.rsyslog.com/rsyslog-configuration-builder/
Templates - Anpassen des Ausgabeformates
$template MyOwnFormat,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%', \nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n" *.*;auth,authpriv.none /var/log/syslog;MyOwnFormat