Syslog is flexible. It lets administrators sort messages by source (“facility”) and importance(“severity level”) and route them to a variety of destinations: log files, user’s terminals, or even other machines.
It can accept messages from a wide variety of sources, examine the attributes of the messages, and even modify their contents.
2. Syslog
• Syslog is flexible. It lets administrators sort messages by
source (“facility”) and importance(“severity level”) and
route them to a variety of destinations: log files, user’s
terminals, or even other machines.
• It can accept messages from a wide variety of sources,
examine the attributes of the messages, and even modify
their contents.
• Its ability to centralize the logging for a network is one of
its most valuable features.
• On Linux systems, the original syslog daemon
(syslogd) has been replaced with a newer
implementation called rsyslog (rsyslogd).
• Rsyslog is available for FreeBSD.
3. • Reading syslog messages
• read plaintext messages from syslog with normal UNIX and
Linux text processing tools such as grep, less, cat, and awk.
• The snippet below shows typical events in /var/log/syslog
from a Debian host:
• # cat /var/log/syslog
• Each message contains the following space-separated
fields:
• Time stamp
• System’s hostname
• Name of the process and its PID in square brackets
• Message payload
4. • Rsyslog architecture
• Log messages as a stream of events and rsyslog as an event-
stream processing engine.
• Log message “events” are submitted as inputs, processed by
filters, and forwarded to output destinations.
• In rsyslog, each of these stages is configurable and modular.
By default, rsyslog is configured in /etc/rsyslog.conf.
• If you modify /etc/rsyslog.conf or any of its included
files, you must restart the rsyslogd daemon to make your
changes take effect.
• A TERM signal makes the daemon exit. A HUP signal
causes rsyslogd to close all open log files, which is useful
• for rotating (renaming and restarting) logs.
5. Rsyslog versions
• Red Hat and CentOS use rsyslog version 7, but Debian and Ubuntu
have updated to version 8. FreeBSD users installing from ports can
choose either version 7 or version 8.
• Rsyslog 8 is a major rewrite of the core engine, and although a lot
has changed under the hood for module developers, the user-facing
aspects remain mostly unchanged.
• Rsyslog configuration
• rsyslogd’s behavior is controlled by the settings in /etc/rsyslog.conf
• These lines specify which input modules to load, the default format
of messages, ownerships and permissions of files, the working
directory in which to maintain rsyslog’s state, and other settings.
• # Support local system logging
• $ModLoad imuxsock
• # Support kernel logging
• $ModLoad imklog
6. • Rsyslog modules
• imjournal integrates with the systemd journal
• imuxsock reads messages from a UNIX domain socket.
• imklog understands how to read kernel messages on Linux and
BSD.
• imfile converts a plain text file to syslog message format
• imtcp and imudp accept network messages over TCP and UDP
• If the immark module is present, rsyslog produces time stamp
messages at regular intervals
• omfile writes messages to a file
• omfwd forwards messages to a remote syslog server over TCP
or UDP.
• omkafka is a producer implementation for the Apache Kafka
data streaming engine.
• ommysql sends messages to a MySQL database.
7. Rsyslog understands three configuration syntaxes:
• Lines that use the format of the original syslog
configuration file. This format is now known as “sysklogd
format,” after the kernel logging daemon sysklogd. It’s
simple and effective but has some limitations. Use it to
construct simple filters.
• Legacy rsyslog directives, which always begin with a $
sign. However, not all options have been converted to
the newer syntax, and so this syntax remains
authoritative for certain features.
• RainerScript, named for Rainer Gerhards, the lead
author of rsyslog. This is a scripting syntax that supports
expressions and functions.
8. • sysklogd syntax
• The sysklogd syntax is the traditional syslog configuration
format.
• This format is primarily intended for routing messages of a
particular type to a desired destination file or network
address. The basic format is
• selector action
• Selectors identify the source program (“facility”) that is
sending a log message and the message’s priority level
(“severity”) with the syntax
• facility.severity
• # All facilities with severity level
• *.level action
9.
10. • Legacy directives
• Legacy directives can configure all aspects of rsyslog,
including global daemon options, modules, filtering, and
rules.
• These directives are most commonly used to configure
modules and the rsyslogd daemon itself.
11. • RainerScript
• The RainerScript syntax is an event-stream-processing
language with filtering and control-flow capabilities.
• RainerScript is more expressive and human-readable than
rsyslogd’s legacy directives, but it has an unusual syntax
that’s unlike any other configuration system.
• Of our example distributions, only Ubuntu uses RainerScript
in its default configuration files.
• You can also load modules and set their operating parameters
through RainerScript.
• module(load="imudp")
• input(type="imudp" port="514")
• module(load="imtcp" KeepAlive="on")
• input(type="imtcp" port="514")
12. • In RainerScript, modules have both “module
parameters” and “input parameters.”
• A module is loaded only once, and a module parameter
(e.g., the KeepAlive option in the imtcp module above)
applies to the module globally.
• By contrast, input parameters can be applied to the
same module multiple times.