What is Linux Syslog Server and how to manage server logs??
Syslog stands for “System Logging Protocol”. It is a standard for message logging and is a protocol used to forward logs on devices such as routers, switches, firewalls, etc. Every single device on the network including linux machines, windows machines, switches, routers, all generate logs of some kind.
If we need to check the log for a switch , we need to access that particular device to get the related logs. Devices may not hold logs for long time. If something happens on any of these devices and if the device is no longer accessible, the logs could be lost.
This is where the “syslog server”comes into action. Syslog server serves as a centralized location that holds log of all devices in the environment in one place. Hence it is easier to compare and to co-relate the events and their sequences from different devices in a single place. We can forward device logs using the protocol “syslog” to a centralized “syslog server”.
Most network equipments, like routers, switches, firewalls, printers, and even web-servers like Apache can send Syslog messages. Windows-based servers don’t support Syslog natively, but there are third party tools available to collect Windows Event Log and forward it to a Syslog server.
Syslog is widely accepted for its simplicity as there is no complex requirements between the Sending device and Receiving Server.
Syslog is part of the Transport layer in the OSI Model, using User Datagram Protocol (UDP) to transport/transfer information across the network. It uses UDP protocol on port number 514.
Most of the linux distributions come with an logging component pre-installed like syslog and rsyslog. Rsyslog is an Open Source logging service. It is also the default logging service in CentOS 7 / RHEL 7. Rsyslog can forward the logs to text files in /var/log/ folder, databases and even to different hosts. It supports MySQL, PostgreSQL, Oracle, SQLite, Microsoft SQL, Sybase, Firebird, and mSQL databases. Rsyslog can be run in both server and client mode.
Basic rsyslog configuration
Configuration file of rsyslog is “/etc/rsyslog.conf”.
Each line in this file contains a “selector” and a corresponding “action”. Selector contains facility and priority.
eg: cron.* /var/log/cron
In the above example “cron.*” is the “selector” and “/var/log/cron” is the action.
The asterisk “*” is used as wildcard to represent the priorities like debug, warning, err etc. Here all types of logs from cron will be forwarded to “/var/log/cron”.
In syslog, a facility code is being used to specify the type of program that is logging the message. Messages with different facilities will be handled differently. The following aresome of the major syslog facilities in Linux:
auth Security related messages.
auth-priv Private authentication messages.
cron Message generated by cron subsystem.
daemon System daemons.
kern Kernel messages.
mail Mail messages.
syslog Messages generated internally by syslogd
We have two additional special facilities :
→the asterisk (*) which means all facilities
→none which means no facility at all.
Look at the following examples to understand these special facilities.
This line says send all messages of the emergency priority to /var/log/emerg file.
This tells rsyslog not to log any mail messages to the file /var/log/maillog.
Configuring rsyslog client
1. # vi /etc/rsyslog.conf
2. To store the logs to a remote rsyslog server, paste the below lines at the bottom of the rsyslog.conf file, above the line “# ### end of the forwarding rule ###”
Eg: *. * @<IP Here>:514 ( use a single “@” for UDP and “@@” for TCP protocols).
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
# ### end of the forwarding rule ###
It directs the rsyslog to send all the logs to the remote host at the IP via 514/UDP port.
We can set priority levels using some special characters. Different priority levels in syslog are:
debug debugging messages
info informational messages
notice normal, but significant, condition
err error conditions
warning warning conditions
crit critical conditions
emerg emergency condition, system is unstable
alert action must be taken immediately
There are four new specifiers used along with priorities which are:
* wildcard, all type of priorities can be logged
= restrict logging to specified priority
! exclude logging of specified priority
– used to prefix a filename if you want to omit syncing the file after every write to it
Some samples of Rsyslog priority level qualifiers in CentOS 7 are given below.
kern.info = kernel logs with info priority and higher.
kern.=info = only kernel messages with info priority.
kern.info;kern.!err = only kernel messages with info, notice, and warning priorities.
kern.debug;kern.!=warning = all kernel priorities except warning.
kern.* = all kernel priorities messages. kern.none = don’t log any related kernel facility messages regardless of the priority.
Syslog can have many actions even though only one can be included in a rule.
→ Filename can be listed in the action field
→ Usernames can be specified
→ Messages can be sent to remote machines
→ An asterisk to message all logged in users
If we want to send only a specific facility messages to a remote log server, such as all related mail messages regardless of the priority level, add the below line to rsyslog configuration file:
Once we have made changes to the syslog configuration file, the service needs to be restarted to pick up the changes.
# systemctl restart rsyslog.service
March 20, 2020
March 20, 2020