Ubuntu 16.04
Sponsored Link

Rsyslog : Output Logs to Remote Host
2016/09/12
 
Configure Rsyslog to output logs to remote host.
This example based on environment below.
+----------------------+          |          +----------------------+
| [  Syslog Server   ] |10.0.0.30 | 10.0.0.51| [  Syslog Client   ] |
|    dlp.srv.world     +----------+----------+   node01.srv.world   |
|                      |                     |                      |
+----------------------+                     +----------------------+

[1] Configure Log Managed Server to receive logs from client servers.
root@dlp:~#
vi /etc/rsyslog.conf
# line 22-23: uncomment

module(load="imtcp")
input(type="imtcp" port="514")
# specify senders you permit to access

$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
root@dlp:~#
systemctl restart rsyslog

[2] Configure Client Servers.
root@node01:~#
vi /etc/rsyslog.d/50-default.conf
# for exmaple, output logs for "auth,authpriv.*" to remote

auth,authpriv.*    
@@dlp.srv.world:514
# add to the end (settings for when Rsyslog Server would be down)

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

root@node01:~#
systemctl restart rsyslog

[3] After configuration of above, logs for kinds of authentication are recorded on Log Managed Server like follows.
root@dlp:~#
tail -30 /var/log/auth.log

Sep 11 09:28:17 dlp systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Sep 11 09:28:17 dlp login[2275]: ROOT LOGIN  on '/dev/ttyS0'
Sep 11 10:17:01 dlp CRON[2342]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 11 10:17:01 dlp CRON[2342]: pam_unix(cron:session): session closed for user root
Sep 11 14:26:57 node01 login[2527]: pam_unix(login:session): session closed for user ubuntu
Sep 11 14:26:57 node01 systemd-logind[2032]: Removed session 6.
Sep 11 14:26:57 node01 systemd: pam_unix(systemd-user:session): session closed for user ubuntu
Sep 11 14:27:03 node01 login[2611]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Sep 11 14:27:03 node01 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Sep 11 14:27:03 node01 systemd-logind[2032]: New session 7 of user root.
Sep 11 14:27:03 node01 login[2658]: ROOT LOGIN  on '/dev/ttyS0'
[4] If you'd like to separate logs for each Host, for each date, Configure like follows.
root@dlp:~#
vi /etc/rsyslog.d/50-default.conf
# add: define logfiles

$template Auth_log,"/var/log/auth.d/%fromhost%_%$year%%$month%%$day%.auth"
# add: specify logfiles defined above

auth,authpriv.*    
-?Auth_log
root@dlp:~#
systemctl restart rsyslog
root@dlp:~#
ll /var/log/auth.d/

total 16
-rw-r-----  1 syslog adm     483 Sep 14 14:49 dlp_20160914.auth
-rw-r-----  1 syslog adm     411 Sep 14 14:49 node01.srv.world_20160914.auth
 
Tweet