Ubuntu 16.04 LTS : Rsyslog : Output Logs to Remote Host : Server World

Rsyslog : Output Logs to Remote Host

2016/09/12

Configure Rsyslog to output logs to remote host.
This example based on environment below.

+----------------------+          |          +----------------------+
| [  Syslog Server   ] |10.0.0.30 | 10.0.0.51| [  Syslog Client   ] |
|    dlp.srv.world     +----------+----------+   node01.srv.world   |
|                      |                     |                      |
+----------------------+                     +----------------------+

[1]	Configure Log Managed Server to receive logs from client servers.

root@dlp:~#

vi /etc/rsyslog.conf

# line 22-23: uncomment

module(load="imtcp")
input(type="imtcp" port="514")

# specify senders you permit to access

$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world

root@dlp:~#

systemctl restart rsyslog

[2]	Configure Client Servers.

root@node01:~#

vi /etc/rsyslog.d/50-default.conf

# for exmaple, output logs for "auth,authpriv.*" to remote

auth,authpriv.*

@@dlp.srv.world:514

# add to the end (settings for when Rsyslog Server would be down)

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

root@node01:~#

systemctl restart rsyslog

[3]	After configuration of above, logs for kinds of authentication are recorded on Log Managed Server like follows.

root@dlp:~#

tail -30 /var/log/auth.log

Sep 11 09:28:17 dlp systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Sep 11 09:28:17 dlp login[2275]: ROOT LOGIN  on '/dev/ttyS0'
Sep 11 10:17:01 dlp CRON[2342]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 11 10:17:01 dlp CRON[2342]: pam_unix(cron:session): session closed for user root
Sep 11 14:26:57 node01 login[2527]: pam_unix(login:session): session closed for user ubuntu
Sep 11 14:26:57 node01 systemd-logind[2032]: Removed session 6.
Sep 11 14:26:57 node01 systemd: pam_unix(systemd-user:session): session closed for user ubuntu
Sep 11 14:27:03 node01 login[2611]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Sep 11 14:27:03 node01 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Sep 11 14:27:03 node01 systemd-logind[2032]: New session 7 of user root.
Sep 11 14:27:03 node01 login[2658]: ROOT LOGIN  on '/dev/ttyS0'

[4]	If you'd like to separate logs for each Host, for each date, Configure like follows.

root@dlp:~#

vi /etc/rsyslog.d/50-default.conf

# add: define logfiles

$template Auth_log,"/var/log/auth.d/%fromhost%_%$year%%$month%%$day%.auth"

# add: specify logfiles defined above

auth,authpriv.*

-?Auth_log

root@dlp:~#

systemctl restart rsyslog

root@dlp:~#

ll /var/log/auth.d/

total 16
-rw-r-----  1 syslog adm     483 Sep 14 14:49 dlp_20160914.auth
-rw-r-----  1 syslog adm     411 Sep 14 14:49 node01.srv.world_20160914.auth