Rsyslog

From TheBeard Science Project Wiki
Jump to: navigation, search 
packages:
	rsyslog

daemons:
	rsyslogd

other:
	rsyslogd creates the socket /dev/log

logfiles:
	boot.log - daemon startup during system init
	cron - cron and atd daemons
	dmesg - system hardware detection
	maillog - sendmail
	secure - network access such as sshd and xinetd
	wtmp - history of all login sessions
	rpmpkgs,yum.log - list of packages installed by rpm
	xferlog - ftp log
	Xorg.0.log,XFree86 - X windows
	lastlog - list of users and the time they last logged in. must use the 'lastlog' command
	messages - important messages generated during and after system init

configs:
	/etc/rsyslog.conf - config file
	/etc/rsyslog.d/ - contains extra configs

args:
	* = wildcard
	; = separator
	<facility>.<priority> /path/logfile - logs the specified item(s) into logfile. path can be a file or a socket via @host:port (default port 514)
		facility - where rsyslog should listen. can be comma separated.
			kern - listen to kernel messages
			news - listen to news daemon
			auth - login, getty, su, etc.
			security - same as auth
			authpriv - network login
			cron
			daemon - system daemons such as ftp
			lpr - printing system
			mail - sendmail
			mark - timestamps used my rsyslog. internal only
			syslog
			user - messages from user processes
			uucp - Unix to Unix Copy daemon
			local<0-7> - can be customized
		priority (in order of seriousness)
			debug - all messages
			info - normal messages
			notice - notice messages. not an error
			warning,warn - warning messages. might be error, but not system critical
			error,err - error messages. generic
			crit - critical messages. such as disk failure.
			alert - alert messages. must be dealt with immediately such as system database corruption
			emerg,panic - serious messages. things normally broadcast to all users.
		format
			=warning - only warning
			!=warn - not warning

log server:
	on the server open /etc/rsyslog.conf and uncomment all lines with:
		$ModLoad
		$UDPServerRun
		$InputTCPServerRun
	on the client open /etc/rsyslog.conf and add a line similar to:
		auth.info @server:514

log management:
	clear a log by writing to it via ">/log/file" with nothing before it. do not delete the file, permissions may get screwed up.
	it's best to save a backup of logs before clearing.

logrotate:
	/etc/logrotate.conf - config file
	/etc/logrotate.d/ - contains extra config files
	logrotate would rename test.log to test.log.YYYMMDD

	args:
		rotate 4 - keep 4 weeks worth of backlogs
		postrotate - starts a script
			[script]
		endscript
Retrieved from "https://beardedmaker.com/wiki/index.php?title=Rsyslog&oldid=158"