Ryan Kozak

Network Architect based in Vancouver, BC.

Posts

Links

Fingerprint

c6a1 8eb3 d0b2 4298 3afc 9279 feda 1ff5 75cc 1b01

Copyright (c) Ryan Kozak. Programs and code snippets licensed under the GNU GPL v3 license. Other content licensed under the CC BY-SA 4.0 license.

Powered by Jekyll — Theme by BDHU, modified by Ryan Kozak.

Syslog Server with rsyslog and logrotate

Posted on February 15 2022 under networking, troubleshooting, and linux

  1. Install rsyslog if it isn’t already: dnf install rsyslog
  2. Create the destination directory: mkdir /var/log/syslog
    • It should be owned by root:root
  3. Drop remote.conf into /etc/rsyslog.d
  4. Drop syslog-remote into /etc/logrotate.d
  5. Ensure the transports you want to use are uncommented in /etc/rsyslog.conf
  6. Restart the service: systemctl restart rsyslog
  7. Ensure your firewall rules allow the traffic:
    • firewall-cmd --permanent --zone=<zone> --add-service=syslog
    • firewall-cmd --reload
    • The default syslog service rule only includes 514/udp, edit /etc/firewalld/services/syslog.xml or add a custom rule if you need to use TCP or TLS

remote.conf

1
2
3
4
5
6
7
8
9
10
11

template(name="RemoteFileName" type="string" string="/var/log/syslog/%FROMHOST%/messages.log")
template(name="RemoteFileFormat" type="list") {
    property(name="timereported" dateFormat="rfc3339")
    constant(value=" ")
    property(name="fromhost")
    property(name="msg" spifno1stsp="on")
    property(name="msg" droplastlf="on")
    constant(value="\n")
}
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteFileName;RemoteFileFormat
& ~

syslog-remote

1
2
3
4
5
6
7
8
9
10
11
12

/var/log/syslog/*/messages.log
{
    maxsize 10M
    rotate 10
    missingok
    compress
    delaycompress
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}