[rsyslog] Fwd: rsyslog local6 DB logging & forwarding

David Lang david at lang.hm
Wed Jan 25 18:56:16 CET 2017


On Fri, 20 Jan 2017, Denis Dolinský via rsyslog wrote:

> thanks a lot for fast reply. Well what I understood is that local6 config
> for DB is working as I was able to catch DB logs via tcpdump.
> My question might be, is *.* forwarding all the logs from all the local*
> facilities ?

*.* will forward all logs that rsyslog is processing (unless there has been a 
directive earlier in the config to stop processing a specific log)

it sounds as if what you are referring to 'local6' logs are arriving from a 
remote system. Are you sure that rsyslog is actually receiving those logs? it's 
possible that you have a iptables rule or something else that is preventing 
those logs from getting to rsyslog, even if you see them via tcpdump.

> Why is it working with local5 and not with local6 ? where exactly might be
> local5 etc config ?
> I don't need DB logs to be stored locally, just need to forward them to
> SIEM (there are too many - approx.. 80 EPS)
>
> here's rsyslog.conf

trimming out most comments and blank lines

> $ModLoad immark.so     # provides --MARK-- message capability (every 1 hour)
> $MarkMessagePeriod     3600
>
> $ModLoad imuxsock.so   # provides support for local system logging (e.g.
> via logger command)
>                       # reduce dupplicate log messages (last message
> repeated n times)
> $RepeatedMsgReduction on

just a note that this is probably not a great idea. It can be useful if a human 
is reading the logs, but automated log processors do much better at spotting 
problems if they have 100 logs rather than one log and then another log that 
says "last message repeated 99 times"

> $ModLoad imklog.so     # kernel logging (may be also provided by
> /sbin/klogd),
>
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> $IncludeConfig /var/run/rsyslog/additional-log-sockets.conf

what's in this config?

> $IncludeConfig /etc/rsyslog.d/*.conf

what's in these configs?

> if      ( \
>            /* kernel up to warning except of firewall  */ \
>            ($syslogfacility-text == 'kern')      and      \
>            ($syslogseverity <= 4 /* warning */ ) and not  \
>            ($msg contains 'IN=' and $msg contains 'OUT=') \
>        ) or ( \
>            /* up to errors except of facility authpriv */ \
>            ($syslogseverity <= 3 /* errors  */ ) and not  \
>            ($syslogfacility-text == 'authpriv')           \
>        ) \
> then    /dev/tty10
> &       |/dev/xconsole
>
> # Emergency messages to everyone logged on (wall)
>
> *.emerg                                  :omusrmsg:*
>
> if      ($syslogfacility-text == 'kern') and \
>        ($msg contains 'IN=' and $msg contains 'OUT=') \
> then    -/var/log/firewall
> &       ~

a better way to do this would be:

then {
   /var/log/firewall
   stop
}

the - isn't needed because everything in rsyslog is async

> if      ($programname == 'acpid' or $syslogtag == '[acpid]:') and \
>        ($syslogseverity <= 5 /* notice */) \
> then    -/var/log/acpid
> &       ~
>
> if      ($programname == 'NetworkManager') or \
>        ($programname startswith 'nm-') \
> then    -/var/log/NetworkManager
> &       ~
>
> mail.*                                  -/var/log/mail
> mail.info                               -/var/log/mail.info
> mail.warning                            -/var/log/mail.warn
> mail.err                                 /var/log/mail.err
>
> news.crit                               -/var/log/news/news.crit
> news.err                                -/var/log/news/news.err
> news.notice                             -/var/log/news/news.notice
>
> *.=warning;*.=err                       -/var/log/warn
> *.crit                                   /var/log/warn
>
> *.*;mail.none;news.none                 -/var/log/messages
>
> local0,local1.*                         -/var/log/localmessages
> local2,local3.*                         -/var/log/localmessages
> local4,local5.*                         -/var/log/localmessages
> local6,local7.*                         -/var/log/localmessages

it's generally not a great idea to have multiple things writing to the same 
file, combine these into one line.

nothing in this config tells rsyslog to listen for remote logs, do you have that 
in an included file?

David Lang


More information about the rsyslog mailing list