Receiving Messages from a Remote System
This is a log-consolidation scenario. There exist at least two systems, a server and at least one client. The server is meant to gather log data from all the clients. Clients may (or may not) process and store messages locally. If they do doesn’t matter here. See recipe Sending Messages to a Remote Syslog Server for how to configure the clients.
Note that in this scenario, we just receive messages from remote machines but do not process them in any special way. Thus, messages from both the local and all remote systems show up in all log files that are written (as well, of course, in all other actions). While the log files contain the source, messages from all systems are intermixed. If you would like to record messages from remote systems to files different from the local system, please see recipe Storing Messages from a Remote System into a specific File for a potential solution.
This scenario provides samples for both UDP and TCP reception. There exist other choices (like RELP), but these are less frequently used. If in question what to use, check the rsyslog module reference and protocol documentation. Note that most devices send UDP messages by default. UDP is an unreliable transmission protocol, thus messages may get lost. TCP supports much more reliability, so if you can not accept message loss, you need to use TCP. Not all devices support TCP-based transports.
Things to think about
TCP and UDP recpetion are not build-in capabilities. You need to load the imtcp and/or imudp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top. Also note that some distributions may package imtcp and/or imudp in separate packages. If so, you need to install them first.
Rsyslog versions prior to v3 had a command-line switch (-r/-t) to activate remote listening. This switch is still available by default and loads the required plugins and configures them with default parameters. However, that still requires the plugins are present on the system. It is recommended not to rely on compatibility mode but rather use proper configuration.
Note that the server port address specified in $InputTCPServerRun must match the port address that the clients send messages to.
Config Statements
# for TCP use: module(load="imtcp") # needs to be done just once input(type="imtcp" port="514") # for UDP use: module(load="imudp") # needs to be done just once input(type="imudp" port="514") # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
How it works
Note that loading the plugins is not sufficient. You also need to activate the listeners. Note the subtle difference between the two startup commands. If you need to have listeners for multiple ports, you can define the startup commands more than once. If you need only TCP or only UDP, you can comment out the other part.
Using a different log Format for all Files
Rsyslog comes with a limited set of log file formats. These resemble the default format that people (and log analyzers) usually expect. However, for some reason or another, it may be required to change the log format. In this recipe, we define a new format and use it as the default format for all log files.
Config Statements
$template myFormat,"%rawmsg%\n"
$ActionFileDefaultTemplate myFormat
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Things to think about
The template and ActionFileDefaultTemplate statements must be made at the top of the configuration file, before any of the files are specified.
How it works
The Template-statement defines the new format. It consist of fields to be written, potential modifications as well as literal text. In the sample config statement, “rawmsg” ist a property that contains the syslog message as it was received by rsyslogd (“received” from any source, for example a remote system or the local log socket). The string “\n” is a line feed (ASCII LF), a constant being added to the string. Usually, log line templates need to end with “\n”, because without that, all log records would be written into a single line. Note that there are many fields and options for these fields that you can specify. The system is very flexible. But getting into the detail of all of that is beyond the scope of this cookbook-style book. Please see the “property replacer” official documentation for more details.
The $ActionFileDefaultTemplate then makes the newly defined template the default for all file actions. This saves you from specifying it with any single action line. But otherwise, it is equivalent to
$template myFormat,"%rawmsg%\n"# The authpriv file has restricted access.
authpriv.* /var/log/secure;myFormat# Log all the mail messages in one place.
mail.* /var/log/maillog;myFormat# Log cron stuff
cron.* /var/log/cron;myFormat# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler;myFormat# Save boot messages also to boot.log
local7.* /var/log/boot.log;myFormatDiscarding unwanted messages
Often, there are some messages that you know you will never store in any log file. Even worse, these messages are sometimes very frequently emitted. There are various ways to get rid of those unwanted messages.
First of all, you need to identify them. Then look carfully and see what is special with these messages. A common case may be that they contain a specific text inside the message itself. If so, you can filter on that text and discard anything that matches. You need to be careful, though: if there are other messages matching this text, these other messages will also be discarded. So it is vital to make sure the text you use is actually unique.
In the sample below, let’s assume that you want to discard messages that contain either the text “user nagios” or “module-alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write”. The later is an actual sample from pulseaudio, which is known to spam syslog with an enourmous volume of these messages.
Config Statements
:msg, contains, "user nagios" ~ :msg, contains, "module-alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write" ~ # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
Note that these are just two lines. The second to forth line are just broken for printing purposes. These two must be on a single line in an actual rsyslog.conf.
How it works
Note that the statements are placed on top of rsyslog.conf. This makes them being executed before any other action statement. So each message received will be checked against the two string and be discarded, if a match is found. Note that you can move the discard action to another place inside rsyslog.conf if you would like to write the messages to some files, but not to others. For example, this configuration:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# do not log the following to other files
:msg, contains, "user nagios" ~
:msg, contains, "module-alsa-sink.c: ALSA woke us up to
write new data to the device, but there was actually
nothing to write" ~# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
logs all messages to /var/log/messages, even those that then shall be discarded.
Integration with “standard” syslogd
Many people call sysklogd that “standard” syslogd because it comes by default with many distributions. Well, more precisely we should say “it came by default”. Over time, rsyslog has replaced sysklogd in most Linux distributions (for example, Fedora, Debian and Ubuntu). So it may be worth checking if rsyslog is already the standard syslogd on a system in question.
Things to think about
In any case, rsyslogd can work well with sysklogd. However, there are a number of limitations, based in missing capabilities of sysklogd. Most importantly, sysklogd does not support tcp syslog or any other protocol but UDP. Note that UDP syslogd does not offer reliability. So some syslog messages will probably be lost, especially on a busy system and/or network. If this is not acceptable, sysklogd must be replaced.
Also, various implementations of legacy syslogd’s use somewhat malformed message formats (based on current standards). As such, rsyslog may not correctly interpret the messages. There are solutions for this problem, but this currently is out of scope for the cookbook-type approach of this book. If you need to deal with these issues, please look at the official reference documentation or ask on the rsyslog forum or mailing list.
Config Statements
You need to configure the legacy syslogd (sysklogd, for example) to send messages to the machine running rsyslogd. The syntax is somewhat similar to rsyslogd’s, but offers limited options. Only basic priority filters can be used, and ports, zip compression or templates can not be specified.
Let us assume that the rsyslogd runing on the machine 192.0.0.1 shall receive a copy of all messages and the rsyslgod running on machine maillog.example.net shall receive copy of all mail-related logs.
In legacy syslog you configure this as follows:
*.* @192.0.0.1
mail.* @maillog.example.net
On the rsyslog side, you need to set up UDP reception. For the machine that gathers all logs, rsyslog.conf may look like below. Note that the listening port must be 514 as legacy syslogd (usually) does not support any other.
$ModLoad imudp
$UDPServerRun 514
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Note that this configuration will store both local and remote messages into the same files. This often is not desirable. Please refer to recipe 2.2.1 to see how to split local and remote logs to different files.
ChangeLog for 5.3.5 (beta)
Version 5.3.5 [BETA] (rgerhards), 2009-11-13
- some light performance enhancement by replacing time() call with much faster (at least under linux) gettimeofday() calls.
- some improvement of omfile performance with dynafiles saved costly time() calls by employing a logical clock, which is sufficient for the use case
- bugfix: omudpspoof miscalculated source and destination ports while this was probably not noticed for source ports, it resulted in almost all destination ports being wrong, except for the default port of 514, which by virtue of its binary representation was calculated correct (and probably thus the bug not earlier detected).
- bugfixes imported from earlier releases
- bugfix: named pipes did no longer work (they always got an open error)
this was a regression from the omfile rewrite in 4.5.0 - bugfix(testbench): sequence check was not always performed correctly, that could result in tests reporting success when they actually failed
- bugfix: named pipes did no longer work (they always got an open error)
- improved testbench: added tests for UDP forwarding and omudpspoof
- doc bugfix: omudpspoof had wrong config command names (“om” missing)
- bugfix [imported from 4.4.3]: $ActionExecOnlyOnceEveryInterval did not work.
- [inport v4] improved testbench, contains now tcp and gzip test cases
- [import v4] added a so-called “On Demand Debug” mode, in which debug output can be generated only after the process has started, but not right from the beginning. This is assumed to be useful for hard-to-find bugs. Also improved the doc on the debug system.
- bugfix: segfault on startup when -q or -Q option was given [imported from v3-stable]
ChangeLog for 4.5.6 (v4-beta)
Version 4.5.6 [v4-beta] (rgerhards), 2009-11-05
- bugfix: named pipes did no longer work (they always got an open error) this was a regression from the omfile rewrite in 4.5.0
- bugfix(minor): diag function returned wrong queue memeber count for the main queue if an active DA queue existed. This had no relevance to real deployments (assuming they are not running the debug/diagnostic module…), but sometimes caused grief and false alerts in the testbench.
- included some important fixes from v4-stable:
- bugfix: invalid handling of zero-sized messages
- bugfix: zero-sized UDP messages are no longer processed
- bugfix: random data could be appended to message
- bugfix: reverse lookup reduction logic in imudp do DNS queries too often
- bugfix(testbench): testcase did not properly wait for rsyslod shutdown thus some unpredictable behavior and a false negative test result could occur. [BACKPORTED from v5]
- bugfix(testbench): sequence check was not always performed correctly, that could result in tests reporting success when they actually failed
ChangeLog for 5.3.2 (devel)
Version 5.3.2 [DEVEL] (rgerhards), 2009-10-21
- enhanced omfile to support transactional interface. This will increase performance in many cases.
- added multi-ruleset support to imudp
- re-enabled input thread termination handling that does avoid thread cancellation where possible. This provides a more reliable mode of rsyslogd termination (canceling threads my result in not properly freed resouces and potential later hangs, even though we perform proper cancel handling in our code). This is part of an effort to reduce thread cancellation as much as possible in rsyslog.
NOTE: the code previously written code for this functionality had a subtle race condition. The new code solves that. - enhanced immark to support non-cancel input module termination
- improved imudp so that epoll can be used in more environments, fixed potential compile time problem if EPOLL_CLOEXEC is not available.
- some cleanup/slight improvement:
- changed imuxsock to no longer use deprecated submitAndParseMsg() IF
- changed submitAndParseMsg() interface to be a wrapper around the new way of message creation/submission. This enables older plugins to be used together with the new interface. The removal also enables us to drop a lot of duplicate code, reducing complexity and increasing maintainability.
- bugfix: segfault when starting up with an invalid .qi file for a disk queue
Failed for both pure disk as well as DA queues. Now, we emit an error message and disable disk queueing facility. - bugfix: potential segfault on messages with empty MSG part. This was a recently introduced regression.
- bugfix: debug string larger than 1K were improperly displayed. Max size is now 32K, and if a string is even longer it is meaningfully truncated.
ChangeLog for 4.4.1 (v4-stable)
Version 4.4.1 [v4-stable] (rgerhards), 2009-09-02
- features requiring Java are automatically disabled if Java is not present (thanks to Michael Biebl for his help!)
- bugfix: invalid double-quoted PRI, among others in outgoing messages. This causes grief with all receivers. Bug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=147
- bugfix: Java testing tools were required, even if testbench was disabled. This resulted in build errors if no Java was present on the build system, even though none of the selected option actually required Java. (I forgot to backport a similar fix to newer releases).
- bugfix (backport): omfwd segfault. Note that the orginal (higher version) patch states this happens only when debugging mode is turned on. That statement is wrong: if debug mode is turned off, the message is not being emitted, but the division
by zero in the actual parameters still happens.
ChangeLog for 4.4.0 (v4-stable)
Version 4.4.0 [v4-stable] (rgerhards), 2009-08-21
- bugfix: stderr/stdout were not closed to be able to emit error messages, but this caused ssh sessions to hang. Now we close them after the initial initialization. See forum thread: http://kb.monitorware.com/controlling-terminal-issues-t9875.html
- bugfix: sending syslog messages with zip compression did not work
ChangeLog for 4.5.2 (beta)
Version 4.5.2 [v4-beta] (rgerhards), 2009-08-21
- legacy syslog parser changed so that it now accepts date stamps in wrong case. Some devices seem to create them and I do not see any harm in supporting that.
- added $InputTCPMaxListeners directive – permits to specify how many TCP servers shall be possible (default is 20).
- bugfix: memory leak with some input modules. Those inputs that use parseAndSubmitMsg() leak two small memory blocks with every message. Typically, those process only relatively few messages, so the issue does most probably not have any effect in practice.
- bugfix: if tcp listen port could not be created, no error message was emitted
- bugfix: potential segfault in output file writer (omfile) In async write mode, we use modular arithmetic to index the output buffer array. However, the counter variables accidently were signed, thus resulting in negative indizes after integer overflow. That in turn could lead to segfaults, but was depending on the memory layout of the instance in question (which in turn depended on a number of variables, like compile settings but also configuration). The counters are now unsigned (as they always should have been) and so the dangling mis-indexing does no longer happen. This bug potentially affected all installations, even if only some may actually have seen a segfault.
- bugfix: hostnames with dashes in them were incorrectly treated as malformed, thus causing them to be treated as TAG (this was a regression introduced from the “rfc3164 strict” change in 4.5.0).