In Linux, system logs are essential for monitoring performance, troubleshooting issues, and maintaining security. rsyslog is a powerful and flexible logging system widely used in modern Linux distributions. It offers high performance, advanced filtering, and support for various output formats, making it a valuable tool for managing logs effectively.
What is Rsyslog?
rsyslog stands for “Rocket-fast System Logging.” It is an enhanced version of the traditional syslog system, designed to handle high-speed log processing while offering advanced capabilities like:
- Flexible configuration: Filter, format, and direct logs to various destinations.
- Remote logging: Transmit logs across networked systems.
- Support for various protocols: Includes TCP, UDP, and RELP.
- Structured logging: Handles logs in formats like JSON.
- High performance: Capable of processing millions of messages per second.
Installing Rsyslog
rsyslog is included in most Linux distributions and is often installed by default. To install or verify its presence, use your package manager:
sudo dnf install rsyslog # Fedora, RHEL, AlmaLinux
sudo apt install rsyslog # Debian, Ubuntu
Enable and start the service:
sudo systemctl enable rsyslog
sudo systemctl start rsyslog
Check the status to ensure it’s running:
sudo systemctl status rsyslog
Understanding the Configuration
The main configuration file for rsyslog is located at /etc/rsyslog.conf, with additional configurations often found in /etc/rsyslog.d/. The configuration format uses selectors and actions:
- Selectors: Define what to log (e.g., facility and priority).
- Actions: Specify where to send the logs (e.g., files, remote servers).
Basic Syntax
A basic configuration line follows this structure:
<facility>.<priority> <action>
- Facility: Represents the source of the log (e.g.,
auth,mail,daemon). - Priority: Defines the severity level (e.g.,
info,warn,err). - Action: Specifies the destination (e.g., a file path or remote server).
Configuring Local Logging
By default, rsyslog logs messages to various files in /var/log/. For example:
- Authentication logs:
/var/log/auth.log - System logs:
/var/log/syslogor/var/log/messages
To add a custom log rule for storing cron messages in a separate file, edit /etc/rsyslog.conf:
cron.* /var/log/cron.log
Save the file and restart rsyslog:
sudo systemctl restart rsyslog
Now, all cron messages will be stored in /var/log/cron.log.
Remote Logging with Rsyslog
rsyslog supports transmitting and receiving logs between systems, making it ideal for centralized log management.
Configuring a Remote Log Server
On the receiving server:
-
Enable the TCP or UDP listener in
/etc/rsyslog.conf:module(load="imtcp") # Load TCP input module input(type="imtcp" port="514") # Listen on TCP port 514 -
Restart the
rsyslogservice:sudo systemctl restart rsyslog
Configuring a Client to Send Logs
On the client system, add the following line to /etc/rsyslog.conf:
*.* @@192.168.1.100:514 # Replace with the server's IP
@@: Indicates TCP; use@for UDP.192.168.1.100: IP address of the log server.
Restart rsyslog:
sudo systemctl restart rsyslog
Logs from the client will now be forwarded to the remote server.
Advanced Features
Filtering Logs
Use advanced filters to fine-tune log processing. For example, to log only error messages from the auth facility:
if $syslogfacility-text == 'auth' and $syslogseverity-text == 'error' then /var/log/auth_errors.log
& stop
Structured Logging with JSON
To enable structured logging in JSON format, modify the configuration:
module(load="mmjsonparse") # Load JSON module
action(type="omfile" file="/var/log/json.log" template="json")
Restart rsyslog, and the logs will be stored in JSON format.
Viewing and Managing Logs
Logs generated by rsyslog can be viewed with standard Linux tools like cat, tail, or less. For example:
sudo tail -f /var/log/syslog
You can also use log analysis tools like Logrotate to manage log file size and retention.
Summary
rsyslog is a versatile and powerful logging system, offering high performance and extensive customization for log management. Whether you’re setting up local logging, configuring a centralized log server, or implementing advanced filtering, rsyslog provides the tools needed to manage logs effectively.
To learn more, visit the official rsyslog documentation.