rsyslog

High-performance log ingestion and ETL engine

rsyslog

High-performance log ingestion and ETL engine

syslog 4.6.1 (v4-stable) released

adisconteamNews, Release Announcement, ,

Hi all,
We have just released rsyslog 4.6.1.

Rsyslog 4.6.1 is a bug fixing release. Most importantly, it fixes an issue with the build system that could potentially result in segfaults, especially on 32 bit machines. Please review the ChangeLog for details.

This is a recommended update for all v4-stable users.

ChangeLog:

http://www.rsyslog.com/Article445

Download:

http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-196.phtml

As always, feedback is appreciated.

Best regards,
Tom Bergfeld

ChangeLog for 4.6.0 (v4-beta)

adisconteamChangelog, ,

Version 4.6.0 [v4-stable] (rgerhards), 2010-02-24

***************************************************************************

This is a new stable v4 version. It contains all fixes and enhancements
made during the 4.5.x phase as well as those listed below.

Note: this version is scheduled to conclude the v4 development process.
Do not expect any more new developments in v4. The focus is now
on v5 (what also means we have a single devel branch again).
(“development” means new feature development, bug fixes are of
course provided for v4-stable)
***************************************************************************

  • improved testbench to contain samples for totally malformed messages which miss parts of the message content
  • bugfix: some malformed messages could lead to a missing LF inside files or some other missing parts of the template content.
  • bugfix: if a message ended immediately with a hostname, the hostname was mistakenly interpreted as TAG, and localhost be used as hostname
  • bugfix: message without MSG part could case a segfault [backported from v5 commit 98d1ed504ec001728955a5bcd7916f64cd85f39f]. This actually was a “recent” regression, but I did not realize that it was introduced by the performance optimization in v4-devel. Shame on me for having two devel versions at the same time…

rsyslog 4.6.0 (v4-stable) released

adisconteamNews, Release Announcement, ,

Hi all,
We have just released rsyslog 4.6.0.

Rsyslog 4.6.0 is the next revision of the v4-stable branch. It brings all new features of 4.5.x to the stable releases. This includes bug fixes as well as many new features. Out of the many, I would like to highlight the ability to have output files automatically zipped, multiple TCP listeners and overall performance improvement. For all details, please check the 4.5.x change log entries.

This release has undergone rigorous testing in some very demanding environments. We held release until all tests went out well. We are happy to have reached this stage now and sincerely think that the version is ready for prime time. Thanks to everyone who contributed test time and bug reports!

We recommend that all v4-stable users have a look at 4.6.0 and consider updating to it. Please note that 4.6.0 also does have some patches which 4.4.2 does not have. Support for 4.4.2 is concluded now (but still available via support contracts).

ChangeLog:

http://www.rsyslog.com/Article443

Download:

http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-195.phtml

As always, feedback is appreciated.

Best regards,
Tom Bergfeld

On the Use of English

adisconteamIntroduction, ,

I ventured to write this book in English because …
it will be more easily read in poor English,
than in good German by 90% of my intended readers.
— HANS J. STETTER, Analysis of Discretization Methods for
Ordinary Differential Equations (1973)

There is not much I could add to Mr. Stetter’s thought, except, maybe, that the number to quote probably tends more to 99% in this case than to the 90% Mr. Stetter notes. So please pardon those errors in language use that I have not yet been able to fix or even see. Suggestions for corrections and improvements are always welcome.

What this book is about

adisconteamIntroduction, ,

This book offers a cookbook-approach to configuring rsyslog. While the official documentation focusses on concepts, components and configuration statements, this book takes a completely different approach. It will not tell you about rsyslog concepts. Instead, it will offer a wide-range of recipies for configuring rsyslog so that it performs some specific task.

The individual recipies are presented with a problem description, some key facts (if necessary), required rsyslog version and the necessary configuration statements. These statements do their job, but not more. I tried to make the configurations reusable and free of side-effects. So you should be able to combine some of these recipies to form a final configuration that works exactly like you need it – just from applying the recipies. The core idea is that this should work just like in real cooking – there, you combine several recipies to create a great five-course meal. However, in cooking there are some recipies that you usually can not combine well within a single meal. The rsyslog equivalent is configurations with side effects, which may not always avoidable. If one of the configurations here has side-effects, you will be warned. It then probably is better to think twice before combining it.

Assumed Standard rsyslog.conf

adisconteamIntroduction, ,

When I initially started to write this book, I provided only excerpts of rsyslog.conf that showed which lines you had to add. Quickly, I received feedback that this is inadequate to make the recipies easy to use – because everyone still needed to guess where to place the excerpts. Or, even worse, place them at the wrong spots, not knowing that sequence of statements is important in rsyslog.conf.

To solve this issue, I now use a “standard” syslog config, just like can be found on many systems. Your’s may not be exactly the same, but I guess the standard config helps you find where the configuration samples need to go into. As a reference point, this is the “standard” config that all samples build on:

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# The authpriv file has restricted access.

authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.

mail.*                                        /var/log/maillog
# Log cron stuff

cron.*                                        /var/log/cron
# Everybody gets emergency messages

*.emerg                                       *
# Save news errors of level crit and higher in a special file.

uucp,news.crit                                /var/log/spooler
# Save boot messages also to boot.log

local7.*                                      /var/log/boot.log

I was hesitant at first to use a real-life sample – repeating it in any recipe requires much space. However, I have convinced myself that this space is well spent, facilitating the adoption of the samples. Only occasionally, when I give some counter-examples, I spare myself from reproducing the full standard rsyslog.conf, hoping that the context makes clear what is meant.

In each recipe, a full rsyslog.conf, based on above example, is specified. The recipe-specific alterations to the config file are given in a different typeface, so that they can be easily identified.

Writing specific messages to a file and discarding them

adisconteamGuides for rsyslog, Some core recipies, The recipies, ,

Messages with the text “error” inside the text part of the message shall be written to a specific file. They shall not be written to any other file or be processed in any other way.

Things to think about

The configuration given here should be placed on top of the rsyslog.conf file.

Config Statements

:msg, contains, "error" /var/log/error.log

& ~

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none      /var/log/messages

# The authpriv file has restricted access.

authpriv.*                                    /var/log/secure

# Log all the mail messages in one place.

mail.*                                        /var/log/maillog

# Log cron stuff

cron.*                                        /var/log/cron

# Everybody gets emergency messages

*.emerg                                       *

# Save news errors of level crit and higher in a special file.

uucp,news.crit                                /var/log/spooler

# Save boot messages also to boot.log

local7.*                                      /var/log/boot.log

How it works

The configuration uses a property-based filter to see if the string “error is contained” inside the MSG part of the syslog message. If so, the message is written to /var/log/error.log. The next line then discards all messages that have been written. Thus, no additional rules will be applied to the message. As such, it will not be written to /var/log/other.log.

Note the difference to this invalid sequence:

*.* /var/log/other.log

:msg, contains, "error" /var/log/error.log

& ~

Here everything is first written to /var/log/other.log and only then the message content is checked. In the later case, the message with “error” in them will be written to both files.

Important

Sequence of configuration statements is very important. Invalid sequence of otherwise perfectly legal configuration statements can lead to totally wrong results.

Sending Messages to a Remote Syslog Server

Rainer GerhardsGuides for rsyslog, Some core recipies, The recipies, ,

In this recipe, we forward messages from one system to another one. Typical use cases are:

  • the local system does not store any messages (e.g. has not sufficient space to do so)
  • there is a (e.g. legal) requirement to consolidate all logs on a single system
  • the server may run some advanced alerting rules, and needs to have a full picture or network activity to work well
  • you want to get the logs to a different system in a different security domain (to prevent attackers from hiding their tracks)
  • and many more …

In our case, we forward all messages to the remote system. Note that by applying different filters, you may only forward select entries to the remote system. Also note that you can include as many forwarding actions as you like. For example, if you need to have a backup central server, you can simply forward to both of them, using two different forwarding actions.

To learn how to configure the remote server, see recipe Receiving Messages from a Remote System.

Config Statements

# this is the simplest forwarding action:
*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="tcp")
# it is equivalent to the following obsolete legacy format line:
*.* @@192.0.2.1:10514 # do NOT use this any longer!
# Note: if the remote system is unreachable, processing will
# block here and discard messages after a while

# so a better use is
*.*  action(type="omfwd" target="192.0.2.2" port="10514" protocol="tcp"
            action.resumeRetryCount="100"
            queue.type="linkedList" queue.size="10000")
# this will de-couple the sending from the other logging actions,
# and prevent delays when the remote system is not reachable. Also,
# it will try to connect 100 times before it discards messages as
# undeliverable.
# the rest below is more or less a plain vanilla rsyslog.conf as 
# many distros ship it - it's more for your reference...
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.
mail.*                                        /var/log/maillog
# Log cron stuff
cron.*                                        /var/log/cron
# Everybody gets emergency messages
*.emerg                                       :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                /var/log/spooler
# Save boot messages also to boot.log
local7.*                                      /var/log/boot.log

Things to think about

You need to select the protocol best suitable for your use case. If in doubt, TCP is a decent choice. This recipe uses TCP for that reason.

TCP forwarding is a build-in capability and always present. As such, no plugin needs to be loaded. The target can be specified by DNS name or IP address. Use IP addresses for most robust operations. If you use a DNS name and name resolution fails, forwarding may be disabled for some time. DNS resolution typically fails on the DNS server itself during system startup.

In this example, we forward to port 10514. We could as well remove the port=”…” parameter from the configuration, which would result in the default port being used. However, you need to specify the port address on the server in any case. So it is strongly advised to use an explicit port number to make sure that client and server configuration match each other (if they used different ports, the message transfer would not work.

Receiving Messages from a Remote System

adisconteamGuides for rsyslog, Some core recipies, The recipies, ,

This is a log-consolidation scenario. There exist at least two systems, a server and at least one client. The server is meant to gather log data from all the clients. Clients may (or may not) process and store messages locally. If they do doesn’t matter here. See recipe Sending Messages to a Remote Syslog Server for how to configure the clients.

Note that in this scenario, we just receive messages from remote machines but do not process them in any special way. Thus, messages from both the local and all remote systems show up in all log files that are written (as well, of course, in all other actions). While the log files contain the source, messages from all systems are intermixed. If you would like to record messages from remote systems to files different from the local system, please see recipe Storing Messages from a Remote System into a specific File for a potential solution.

This scenario provides samples for both UDP and TCP reception. There exist other choices (like RELP), but these are less frequently used. If in question what to use, check the rsyslog module reference and protocol documentation. Note that most devices send UDP messages by default. UDP is an unreliable transmission protocol, thus messages may get lost. TCP supports much more reliability, so if you can not accept message loss, you need to use TCP. Not all devices support TCP-based transports.

Things to think about

TCP and UDP recpetion are not build-in capabilities. You need to load the imtcp and/or imudp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top. Also note that some distributions may package imtcp and/or imudp in separate packages. If so, you need to install them first.

Rsyslog versions prior to v3 had a command-line switch (-r/-t) to activate remote listening. This switch is still available by default and loads the required plugins and configures them with default parameters. However, that still requires the plugins are present on the system. It is recommended not to rely on compatibility mode but rather use proper configuration.

Note that the server port address specified in $InputTCPServerRun must match the port address that the clients send messages to.

Config Statements

# for TCP use:
module(load="imtcp") # needs to be done just once 
input(type="imtcp" port="514")
# for UDP use:
module(load="imudp") # needs to be done just once 
input(type="imudp" port="514")
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.
mail.*                                        /var/log/maillog
# Log cron stuff
cron.*                                        /var/log/cron
# Everybody gets emergency messages
*.emerg                                       *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                /var/log/spooler
# Save boot messages also to boot.log
local7.*                                      /var/log/boot.log

How it works

Note that loading the plugins is not sufficient. You also need to activate the listeners. Note the subtle difference between the two startup commands. If you need to have listeners for multiple ports, you can define the startup commands more than once. If you need only TCP or only UDP, you can comment out the other part.

Scroll to top