Rsyslog : Output Logs to Remote Host
2016/09/12 |
Configure Rsyslog to output logs to remote host.
This example based on environment below. +----------------------+ | +----------------------+ | [ Syslog Server ] |10.0.0.30 | 10.0.0.51| [ Syslog Client ] | | dlp.srv.world +----------+----------+ node01.srv.world | | | | | +----------------------+ +----------------------+ |
[1] | Configure Log Managed Server to receive logs from client servers. |
root@dlp:~#
vi /etc/rsyslog.conf # line 22-23: uncomment module(load="imtcp") input(type="imtcp" port="514") # specify senders you permit to access
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
systemctl restart rsyslog |
[2] | Configure Client Servers. |
root@node01:~#
vi /etc/rsyslog.d/50-default.conf # for exmaple, output logs for "auth,authpriv.*" to remote auth,authpriv.* @@dlp.srv.world:514
# add to the end (settings for when Rsyslog Server would be down) $ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 systemctl restart rsyslog |
[3] | After configuration of above, logs for kinds of authentication are recorded on Log Managed Server like follows. |
root@dlp:~# tail -30 /var/log/auth.log Sep 11 09:28:17 dlp systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0) Sep 11 09:28:17 dlp login[2275]: ROOT LOGIN on '/dev/ttyS0' Sep 11 10:17:01 dlp CRON[2342]: pam_unix(cron:session): session opened for user root by (uid=0) Sep 11 10:17:01 dlp CRON[2342]: pam_unix(cron:session): session closed for user root Sep 11 14:26:57 node01 login[2527]: pam_unix(login:session): session closed for user ubuntu Sep 11 14:26:57 node01 systemd-logind[2032]: Removed session 6. Sep 11 14:26:57 node01 systemd: pam_unix(systemd-user:session): session closed for user ubuntu Sep 11 14:27:03 node01 login[2611]: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Sep 11 14:27:03 node01 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0) Sep 11 14:27:03 node01 systemd-logind[2032]: New session 7 of user root. Sep 11 14:27:03 node01 login[2658]: ROOT LOGIN on '/dev/ttyS0' |
[4] | If you'd like to separate logs for each Host, for each date, Configure like follows. |
root@dlp:~#
vi /etc/rsyslog.d/50-default.conf # add: define logfiles
$template Auth_log,"/var/log/auth.d/%fromhost%_%$year%%$month%%$day%.auth"
# add: specify logfiles defined above auth,authpriv.* -?Auth_log
root@dlp:~#
root@dlp:~# systemctl restart rsyslog
ll /var/log/auth.d/ total 16 -rw-r----- 1 syslog adm 483 Sep 14 14:49 dlp_20160914.auth -rw-r----- 1 syslog adm 411 Sep 14 14:49 node01.srv.world_20160914.auth |