Rsyslog
Version vom 12. Mai 2022, 15:13 Uhr von Thomas.will (Diskussion | Beiträge)
systemctl status rsyslog.service
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mo 2016-09-05 09:47:26 CEST; 2h 23min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 3193 (rsyslogd)
Tasks: 4 (limit: 512)
CGroup: /system.slice/rsyslog.service
└─3193 /usr/sbin/rsyslogd -n
Sep 05 09:47:25 bajor.xinux.org systemd[1]: Starting System Logging Service...
Sep 05 09:47:26 bajor.xinux.org systemd[1]: Started System Logging Service.
Udp Port in rsyslog.conf öffnen
#provides UDP syslog reception module(load="imudp") input(type="imudp" port="514")
Tcp Port in rsyslog.conf öffnen
#provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514")
Logger
- echo "Dies ist eine Meldung" | logger -p local3.warn
- tail -f -n 1 /var/log/syslog
Sep 5 13:19:03 bajor root: Dies ist eine Meldung
Eigene Regeln
Einfache Regeln
Programname
- Logfile for tftpd
if $programname == 'in.tftpd' then /var/log/tftpd.log
facility-text
- 60-meinlog.conf
if $syslogfacility-text == 'local3' then /var/log/meinelog
- systemctl restart rsyslog.service
- echo "Hallo Welt" | logger -p local3.warn
- tail -n 1 -f /var/log/meinelog
Sep 5 14:21:04 bajor root: Hallo Welt
contains
Prevent rsyslog logging to /var/log/syslog
- 10-iptables.conf
if $msg contains '-iptables-' then /var/log/firewall & ~
expressions in parenthesis
- not, unary minus
- *, /, % (modulus, as in C)
- +, -, & (string concatenation)
- ==, !=, <>, <, >, <=, >=, contains (strings!), startswith (strings!)
- and
- or
legacy rsyslog
Beginnen mit einem $-Zeichen. Zum Setzen von Konfigurationsparametern.
$FileOwner syslog
RainerScript
Neues Format.
Generator für eine Konfigurationsdatei: http://www.rsyslog.com/rsyslog-configuration-builder/
Templates - Anpassen des Ausgabeformates
$template MyOwnFormat,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%', \nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n" *.*;auth,authpriv.none /var/log/syslog;MyOwnFormat