Slackware/system-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update logfile configurations.

Browse source
This commit is contained in:
Darren 'Tadgy' Austin 2026-03-30 14:55:19 +00:00
commit 44b93b9422
17 changed files with 287 additions and 127 deletions
Download patch file Download diff file Expand all files Collapse all files

263
etc/rsyslog.conf
View file

@ -1,143 +1,180 @@
# VMWare: RFC5424 message format.
# Load modules.
module(load="imuxsock" sysSock.usePIDFromSystem="on")
module(load="imudp")
module(load="imtcp")
module(load="builtin:omfile" dirCreateMode="0750" dirOwnerNum="0" dirGroupNum="0" fileCreateMode="0640" fileOwnerNum="0" fileGroupNum="0" compression.driver="zstd")
module(load="imfile" Mode="inotify")
module(load="builtin:omfile" dirCreateMode="0755" dirOwnerNum="0" dirGroupNum="0" fileCreateMode="0644" fileOwnerNum="0" fileGroupNum="0" compression.driver="zstd")
# Global configuration.
global(
workDirectory="/var/lib/rsyslog"
workDirectory="/var/spool/rsyslog"
#stdlog.channelspec="on"
maxMessageSize="16K"
senders.keepTrack="on"
senders.timeoutAfter="2419200"
senders.reportGoneAway="on"
senders.reportNew="on"
parser.permitSlashInProgramName="on"
)
# Inputs.
input(type="imudp" port="25414" ruleset="syslog")
input(type="imudp" port="25415" ruleset="httplog")
input(type="imtcp" port="25414" ruleset="syslog")
# Templates.
# For the log lines.
# The format for any version of message received is:
# <date> <short-hostname> <facility>.<severity> <msgid> <tag> <message>
# Where <msgid> may be '-' for none, and <tag> is either the message's "tag", "app-name", or '-' for none.
template(name="localLogLine" type="string" string="%timereported% %$.host% %syslogfacility-text%.%syslogseverity-text% %$.id% %$.tag%%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
template(name="centralLogLine" type="string" string="%timereported:::date-utc% %$.host% %syslogfacility-text%.%syslogseverity-text% %$.id% %$.tag%%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
# For the logfile locations.
template(name="localFile" type="string" string="/var/log/%$.logfile%")
template(name="centralFile" type="string" string="/data/logs/%$.fqdn%/%timegenerated:1:4:date-utc,date-rfc3339%/%timegenerated:6:7:date-utc,date-rfc3339%/%timegenerated:9:10:date-utc,date-rfc3339%/%$.logfile%")
# Rulesets.
ruleset(name="syslog") {
set $.host = tolower(field($hostname, ".", 1));
set $.domain = tolower(re_extract($hostname, '[^.]+\\.(.*)', 0, 1, "unknown_domain"));
if ($app-name != "") then {
set $.proc = $app-name;
if ($procid != "" and $procid != "-") then {
set $.proc = '[' & $procid & ']';
}
# Rulesets. Must be defined before inputs that use them.
ruleset(name="localSyslog") {
# Use the host's lowercased FQDN.
set $.fqdn = tolower("core.slackware.uk.net");
# Extract the hostname part of the FQDN the message was receieved from.
set $.host = field($.fqdn, ".", 1);
# Hack for RFC3164 messages that do not contain a 'tag' (usually the process name and ID ending in :).
if ($syslogtag == "") then {
set $.tag = "-:";
} else {
set $.proc = '-';
set $.tag = $syslogtag;
}
if ($msgid != "") then {
# Hack for messages that do not contain a 'msgid'.
if ($msgid == "") then {
set $.id = "-";
} else {
set $.id = $msgid;
} else {
set $.id = '-';
}
template(name="LogLineSingleHost" type="string" string="%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
template(name="LogLineAllHosts" type="string" string="%timereported:::date-utc,date-rfc3339% %hostname% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
# Direct the message to the correct log(s).
if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
if prifilt("cron.*") then set $.logfile = "crond";
if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $.logfile = "messages";
if prifilt("ftp.*") then set $.logfile = "ftpd";
if prifilt("kern.*") then set $.logfile = "kernel";
if prifilt("lpr.*") then set $.logfile = "dehydrated";
if prifilt("mail.*") then set $.logfile = "smtpd";
if prifilt("news.*") then set $.logfile = "kerberos";
if prifilt("local3.*") then set $.logfile = "named";
# FIXME: Correct logfile for samba?
if prifilt("local4.*") then set $.logfile = "samba/samba";
if prifilt("local5.*") then set $.logfile = "rsyncd";
if prifilt("local6.*") then set $.logfile = "php";
if prifilt("local7.*") then set $.logfile = "httpd";
# For next release of rsyslog:
# set $.ret = parse_json('[]', "\$!logfiles");
# if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
# if prifilt("cron.*") then set $!logfiles = append_json($!logfiles, "crond");
# if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $!logfiles = append_json($!logfiles, "messages");
# if prifilt("ftp.*") then set $!logfiles = append_json($!logfiles, "ftpd");
# if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
# if prifilt("lpr.*") then set $!logfiles = append_json($!logfiles, "dehydrated");
# if prifilt("mail.*") then set $!logfiles = append_json($!logfiles, "smtpd");
# if prifilt("news.*") then set $!logfiles = append_json($!logfiles, "kerberos");
# if prifilt("local3.*") then set $!logfiles = append_json($!logfiles, "named");
# if prifilt("local4.*") then set $!logfiles = append_json($!logfiles, "samba/samba");
# if prifilt("local5.*") then set $!logfiles = append_json($!logfiles, "rsyncd");
# if prifilt("local6.*") then set $!logfiles = append_json($!logfiles, "php");
# if prifilt("local7.*") then set $!logfiles = append_json($!logfiles, "httpd");
# if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
# if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
# if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");
# FIXME: Log each facility to the AllHosts logs. Compression?
if prifilt("auth.*,authpriv.*") then {
action(type="omfile" file="/tmp/log/AllHosts/auth" template="LogLineAllHosts" zipLevel="6" asyncWriting="on" flushInterval="5" ioBufferSize="64k" )
} else if ... then {
template(name="LogFileeSingleHost" type="string" string="/tmp/logs/%$.host%/
%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
if prifilt("*.info") then {
action(type="omfile" file="/var/log/info.log")
}
# Write the logs.
# foreach ($.logfile in $!logfiles) do {
action(type="omfile" dynaFile="localFile" template="localLogLine" asyncWriting="on" flushInterval="5" ioBufferSize="64k" createDirs="on")
action(type="omfile" dynaFile="centralFile" template="centralLogLine" asyncWriting="on" flushInterval="5" ioBufferSize="64k" createDirs="on")
# }
}
ruleset(name="remoteSyslog") {
# Use the incoming host's lowercased FQDN.
set $.fqdn = tolower($fromhost);
# Extract the hostname part of the FQDN the message was receieved from.
set $.host = field($.fqdn, ".", 1);
# Hack for RFC5424 messages that do not contain an app-name or procid.
if ($app-name == "") then {
if ($syslogtag == "") then {
set $.tag = "-";
} else {
set $.tag = $syslogtag;
}
} else {
if ($procid == "") then {
set $.tag = $app-name;
} else {
set $.tag = $app-name & '[' & $procid & ']';
}
}
# Hack for messages that do not contain a 'msgid'.
if ($msgid == "") then {
set $.id = "-";
} else {
set $.id = $msgid;
}
# Direct the message to the correct log(s).
if (re_match_i($.host, '^(esx[[:alnum:]]|vcsa)$')) then {
if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
if prifilt("cron.*,daemon.*,ftp.*,lpr.*,news.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*,local3.*,local4.*,local5.*,local6.*,local7.*") then set $.logfile = "messages";
if prifilt("kern.*") then set $.logfile = "kernel";
if prifilt("mail.*") then set $.logfile = "mail";
# For next release of rsyslog:
# if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
# if prifilt("cron.*,daemon.*,ftp.*,lpr.*,news.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*,local3.*,local4.*,local5.*,local6.*,local7.*") then set $!logfiles = append_json($!logfiles, "messages");
# if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
# if prifilt("mail.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "mail");
# if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
# if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
# if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");
} else {
if prifilt("auth.*,authpriv.*") then set $.logfile = "auth";
if prifilt("cron.*") then set $.logfile = "crond";
if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $.logfile = "messages";
if prifilt("ftp.*") then set $.logfile = "ftpd";
if prifilt("kern.*") then set $.logfile = "kernel";
if prifilt("lpr.*") then set $.logfile = "dehydrated";
if prifilt("mail.*") then set $.logfile = "smtpd";
if prifilt("news.*") then set $.logfile = "kerberos";
if prifilt("local3.*") then set $.logfile = "named";
if prifilt("local4.*") then set $.logfile = "samba/samba";
if prifilt("local5.*") then set $.logfile = "rsyncd";
if prifilt("local6.*") then set $.logfile = "php";
if prifilt("local7.*") then set $.logfile = "httpd";
# For next release of rsyslog:
# set $.ret = parse_json('[]', "\$!logfiles");
# if prifilt("auth.*,authpriv.*") then set $!logfiles = append_json($!logfiles, "auth");
# if prifilt("cron.*") then set $!logfiles = append_json($!logfiles, "crond");
# if prifilt("daemon.*,syslog.*,user.*,uucp.*,local0.*,local1.*,local2.*") then set $!logfiles = append_json($!logfiles, "messages");
# if prifilt("ftp.*") then set $!logfiles = append_json($!logfiles, "ftpd");
# if prifilt("kern.*") then set $!logfiles = append_json($!logfiles, "kernel");
# if prifilt("lpr.*") then set $!logfiles = append_json($!logfiles, "dehydrated");
# if prifilt("mail.*") then set $!logfiles = append_json($!logfiles, "smtpd");
# if prifilt("news.*") then set $!logfiles = append_json($!logfiles, "kerberos");
# if prifilt("local3.*") then set $!logfiles = append_json($!logfiles, "named");
# if prifilt("local4.*") then set $!logfiles = append_json($!logfiles, "samba/samba");
# if prifilt("local5.*") then set $!logfiles = append_json($!logfiles, "rsyncd");
# if prifilt("local6.*") then set $!logfiles = append_json($!logfiles, "php");
# if prifilt("local7.*") then set $!logfiles = append_json($!logfiles, "httpd");
# if prifilt("*.err,*.crit') then set $!logfiles = append_json($!logfiles, "ERROR");
# if prifilt("*.alert,*.emerg') then set $!logfiles = append_json($!logfiles, "EMERG");
# if prifilt("*.debug") then set $!logfiles = append_json($!logfiles, "DEBUG");
}
# Write the logs.
# foreach ($.logfile in $!logfiles) do {
action(type="omfile" dynaFile="centralFile" template="centralLogLine" asyncWriting="on" flushInterval="5" ioBufferSize="64k" createDirs="on")
# }
}
#template(name="SyslogLineFormat" type="list") {
# property(name="timereported" dateFormat="rfc3339" caseConversion="lower") # Timestamp yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
# constant(value=" ")
# property(name="hostname") # Hostname
# constant(value=" ")
# property(name="syslogfacility") # Facility
# constant(value=".")
# property(name="syslogpriority") # Log priority
# constant(value=" ")
# property(name="syslogtag") # Syslog tag
# constant(value=": ")
# property(name="msg") # Message content
# constant(value="\n")
#}
#template(name="LogHostFile" type="string" string="/mnt/Data/logs/%HOSTNAME:::escape-cc,secpath-replace%/
#%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/
# %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
#template(name="LogAllHostsFile" type="string" string="/mnt/Data/logs/AllHosts/
#%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/
# %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
#VMWare: RFC 5424
# Parser.
#parser(
# name="FIXME"
# type="pmnormalize"
# rule=[
# "rule=:<%pri:number%> %fromhost-ip:ipv4% %hostname:word% %syslogtag:char-to:\\x3a%: %msg:rest%",
# "rule=:<%pri:number%> %hostname:word% %fromhost-ip:ipv4% %syslogtag:char-to:\\x3a%: %msg:rest%"
# ]
#)
# Rules
#ruleset(name="outp" parser="custom.pmnormalize") {
# action(type="omfile" File="/tmp/output")
#}
# Outputs.
action(type="omfile" file="/tmp/messages" template="LogLineSingleHost")
# Inputs.
input(type="imuxsock" socket="/dev/log" usePIDFromSystem="on" ruleset="localSyslog")
input(type="imudp" port="25414" ruleset="remoteSyslog")
input(type="imtcp" port="25414" ruleset="remoteSyslog")
# Include additional configurations.
include(file="/etc/rsyslog.d/*.conf" mode="optional")
### Examples ####
# Send all logs to remote syslog via UDP.
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#*.* action(
# type="omfwd"
# target="192.168.0.1"
# port="514"
# protocol="udp"
# queue.filename="fwdRule1" # unique name prefix for spool files
# queue.type="LinkedList"
# queue.maxDiskSpace="256m"
# queue.saveOnShutdown="on"
# action.resumeRetryCount="-1"
# action.resumeInterval="30"
#)