rsyslog

rsyslog is the default logging program in Debian and Red Hat. It is an extension of the original syslog protocol, with additional features such as flexible configuration, rich filtering capabilities and content-based filtering. Just like syslogd, the rsyslogd daemon can be used to gather log messages from programs and servers and direct those messages to local log files, devices, or remote logging hosts.

rsyslog is configured using two configuration files. The first one is /etc/rsyslog.conf:

linux rsyslog.conf

As you can see in the picture above, the rsyslog.conf has the Modules section that lets you include or not include specific features in your rsyslog service:

linux rsyslog.conf modules

Entries beginning with $ModLoad load the modules that follow. Modules that are currently disabled are preceded with #.

The rsyslog.conf file also includes a set of global directives, such as $FileOwner that sets the file owner for the newly created log files, $FileGroup that sets the group for the newly created log files, $IncludeConfig that includes all config files from the specified directory, and so on:

linux rsyslog.conf global directives

The rsyslog.conf file includes a reference to the /etc/rsyslog.d/50-default.conf file. This file defines the default logging rules. It is similar to syslog.conf:

linux rsyslog 50-default.conf

The logging is specified with rules entries. On each line the selector (facility.priority) and the action are specified. For example, consider the following line:

kern.alert  /var/log/kern.log

The rule above specifies that each log message from the kern facility with the priority of alert and higher will be directed to /var/log/kern.log.

To direct messages to remote log host, use the @ character to specify the hostname of the log host. For example, if we want to direct messages from the example above to the remote server suse1, we would use the following line:

kern.alert  @suse1

Here is another example:

mail.*  /var/log/mail

The line above sends all log entries identified by the originating program as related to mail to the /var/log/mail file.

Some messages may be handled by multiple rules. For instance, another rule might look like this one:

*.emerg  *

This line sends all emerg-level messages to the consoles of all users who are logged into the computer using text-mode tools. If this line and the earlier mail.* selector are both present, emerg-level messages related to mail will be logged to /var/log/mail and displayed on users’ consoles.

 

Make sure to restart the rsyslog service after you make the changes in the configuration files. You can do this with the sudo service rsyslog restart command.

Linux course

Geek University 2022