Linux Logging Configuration: Difference between revisions
| (11 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
=rsyslogd Configuration= | =rsyslogd Configuration= | ||
The main [[Linux Logging Concepts#rsyslogd|rsyslogd]] configuration file is /etc/rsyslog.conf. | The main [[Linux Logging Concepts#rsyslogd|rsyslogd]] configuration file is <code>/etc/rsyslog.conf</code>. | ||
The configuration file contains | The configuration file contains global directives, rules and modules. A rule consists of filter and action. The filters can be facility/priority-based, property-based and expression-based. | ||
For more details on rsyslogd configuration see {{External|[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html RHEL 7 System Administration Guide - Basic Configuration of rsyslog]}} | For more details on rsyslogd configuration see {{External|[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html RHEL 7 System Administration Guide - Basic Configuration of rsyslog]}} | ||
| Line 13: | Line 13: | ||
==rsyslogd Log Rotation Configuration== | ==rsyslogd Log Rotation Configuration== | ||
rsyslogd-managed log files can be automatically rotated. The logrotate package contains a cron task that rotates log files based on the configuration found in /etc/logrotate.conf and /etc/logrotate.d/. The cron job runs daily. The essential configuration is similar to: | rsyslogd-managed log files can be automatically rotated. The logrotate package contains a cron task that rotates log files based on the configuration found in <code>/etc/logrotate.conf</code> and <code>/etc/logrotate.d/</code>. The cron job runs daily. The essential configuration is similar to: | ||
<pre> | <pre> | ||
# rotate log files weekly | # rotate log files weekly | ||
weekly | weekly | ||
# for hosts that do not have a lot of disk space or generate a large quantities of logs, you can rotate logs daily | |||
# daily | |||
# keep 4 weeks worth of backlogs | # keep 4 weeks worth of backlogs | ||
| Line 37: | Line 40: | ||
/var/log/wtmp { | /var/log/wtmp { | ||
monthly | monthly | ||
# weekly | |||
create 0664 root utmp | create 0664 root utmp | ||
minsize 1M | minsize 1M | ||
| Line 45: | Line 49: | ||
missingok | missingok | ||
monthly | monthly | ||
# weekly | |||
create 0600 root utmp | create 0600 root utmp | ||
rotate 1 | rotate 1 | ||
| Line 52: | Line 57: | ||
</pre> | </pre> | ||
All entries in /etc/logrotate.conf apply to every log file managed by rsyslogd, including to those whose configuration is specified in individual entries or in /etc/logrotate.d. Individua log file handing can be specified in /etc/logrotate.conf, as it is the case for /var/log/wtmp and /var/log/btmp in the above example, or in separated files placed in /etc/logrotate.d. Comments must be placed on lines that begin with '#'. Details on the configuration file syntax can be obtained with: | All entries in <code>/etc/logrotate.conf<code> apply to every log file managed by rsyslogd, including to those whose configuration is specified in individual entries or in <code>/etc/logrotate.d</code>. Individua log file handing can be specified in <code>/etc/logrotate.conf</code>, as it is the case for <code>/var/log/wtmp</code> and <code>/var/log/btmp</code> in the above example, or in separated files placed in <code>/etc/logrotate.d</code>. Comments must be placed on lines that begin with '#'. Details on the configuration file syntax can be obtained with: | ||
<pre> | <pre> | ||
| Line 60: | Line 65: | ||
Configuration directives: | Configuration directives: | ||
====daily|weekly|monthly|yearly==== | ====daily | weekly | monthly | yearly==== | ||
Specifies the rotation periodicity. | Specifies the rotation periodicity. | ||
====rotate <integer>==== | ====rotate <integer>==== | ||
Specifies the number of rotation the log file undergoes before it is removed or mailed. If 0 is specified, old files are removed immediately. | Specifies the number of rotation the log file undergoes before it is removed or mailed. If 0 is specified, old files are removed immediately. | ||
==Log Rotation Configuration File Syntax Verification== | |||
<pre> | |||
logrotate -d -f /etc/logrotate.conf | |||
</pre> | |||
==Enable rsyslogd to Listen for UDP Traffic== | |||
Some applications, like [[HAProxy]] for example, do not write their logs on the filesystem, but send them over UDP to the local syslogd server. In order to receive this traffic, rsyslogd must be configured as follows, by adding the following lines to /etc/rsyslog.conf: | |||
$ModLoad imudp | |||
$UDPServerAddress * | |||
$UDPServerRun 514 | |||
Normally, [[iptables]] is configured to allow local host traffic, but you should check in case it doesn't. | |||
=journald Configuration= | =journald Configuration= | ||
More details about [[Linux_Logging_Concepts#journald|journald]]. | More details about [[Linux_Logging_Concepts#journald|journald]]. | ||
Latest revision as of 23:47, 5 August 2023
Internal
rsyslogd Configuration
The main rsyslogd configuration file is /etc/rsyslog.conf.
The configuration file contains global directives, rules and modules. A rule consists of filter and action. The filters can be facility/priority-based, property-based and expression-based.
For more details on rsyslogd configuration see
rsyslogd Log Rotation Configuration
rsyslogd-managed log files can be automatically rotated. The logrotate package contains a cron task that rotates log files based on the configuration found in /etc/logrotate.conf and /etc/logrotate.d/. The cron job runs daily. The essential configuration is similar to:
# rotate log files weekly
weekly
# for hosts that do not have a lot of disk space or generate a large quantities of logs, you can rotate logs daily
# daily
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
# weekly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
# weekly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
All entries in /etc/logrotate.conf apply to every log file managed by rsyslogd, including to those whose configuration is specified in individual entries or in /etc/logrotate.d. Individua log file handing can be specified in /etc/logrotate.conf, as it is the case for /var/log/wtmp and /var/log/btmp in the above example, or in separated files placed in /etc/logrotate.d. Comments must be placed on lines that begin with '#'. Details on the configuration file syntax can be obtained with:
man logrotate
Configuration directives:
daily | weekly | monthly | yearly
Specifies the rotation periodicity.
rotate <integer>
Specifies the number of rotation the log file undergoes before it is removed or mailed. If 0 is specified, old files are removed immediately.
Log Rotation Configuration File Syntax Verification
logrotate -d -f /etc/logrotate.conf
Enable rsyslogd to Listen for UDP Traffic
Some applications, like HAProxy for example, do not write their logs on the filesystem, but send them over UDP to the local syslogd server. In order to receive this traffic, rsyslogd must be configured as follows, by adding the following lines to /etc/rsyslog.conf:
$ModLoad imudp
$UDPServerAddress *
$UDPServerRun 514
Normally, iptables is configured to allow local host traffic, but you should check in case it doesn't.
journald Configuration
More details about journald.