Linux Applications

The Rsyslog.Conf File Complete Guide for Linux

2 years ago
by Ali Imran Nagori
Syslog is a Unix-based tool that Linux uses to manage the local log files. Now, the new Linux systems use a daemon called the Rsyslog which is actually an enhanced tool.

The Rsyslog file can be used to configure a central logging server as well as to configure the individual client systems to send their log files to the logging server.

Rsyslog can be installed on both the Red Hat and Ubuntu distributions. The Adiscon Ubuntu Repository provides the newest versions of Rsyslog on Ubuntu. Similarly, the Adiscon RPM Repository provides the latest versions of Rsyslog for Red Hat/CentOS.

To use a system as a logging server, install the Rsyslog service on that system. Also, install Rsyslog service on the systems that will send logs to this server.

With the Rsyslog daemon, we can send logs to remote servers. It is relatively straightforward to configure Rsyslog. The log files are centralized which aids in archiving and troubleshooting processes.

Why Are Log Files Important?

Log files are basically an indispensable part of a server setup. These files are used in:

  1. Troubleshooting
  2. System Auditing
  3. Performance Analysis

Log files are a key source for gathering critical information about a system and various processes running on it. This information is used for auditing and troubleshooting works.

What Will We Cover?

In this tutorial, you will learn about the Rsyslog service on Linux.

Choosing the Partition for /Var/Log

The /etc/rsyslog.conf contains a list of log files that are managed by the daemon rsyslogd. The /var/log/ directory contains most of the log files. Applications like samba, httpd, and others also store their logs within a subdirectory inside the /var/log.

It is a good practice to mount the /var/log directory on a separate partition. This helps in avoiding a situation where the local logs occupy the space shared by the root filesystem. This is a critically important step in configuring the servers that receive too many log files from multiple remote systems.

The Rsyslog Logging Service

The rsyslog application helps in centralizing the logs collection on your infrastructure. This application works in parallel with the so-called systemd-journald. Although the rsyslog service is still used on Red Hat systems, it is now getting replaced with this new logging system, the systemd-journald.

The systemd-journald was introduced with Systemd in RHEL 7 and is continued to be used with RHEL 8 and 9. The Rsyslog service provides backward compatibility on newer RHEL systems.

The Rsyslog.Conf Configuration File

Let us now deal with the actual rsyslog.conf file located at /etc/rsyslog.conf. This file is backward compatible with the syslog.conf file of the sysklogd.

The rules specified in this file govern how the rsyslogd deals with the messages. In a general way, one can categorize the messages based on their source, topic (facility), and urgency (priority). Once classified, an action can be assigned and performed when a message qualifies the set condition.

This file has three major specifications: Global Directives, Modules, and Rules. The rules section comprises the filter and action components.

Sample File Snippet on RHEL 8:

$ cat /etc/rsyslog.conf

# rsyslog configuration file

#### MODULES ####

module(load="imuxsock"       # provides support for local system logging (e.g. via logger command)
# local messages are retrieved through imjournal now.
module(load="imjournal"         # provides access to the systemd journal

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

#### RULES ####

# Log all kernel messages to the console.

Global Directives

Global directives are used to configure the rsyslogd daemon. Generally, they specify a value for a particular pre-defined variable that impacts the functionality of rsyslogd or a rule.

Module Section

Adding extensions in Rsyslog is simple because of its modular architecture. When you open the file, there is a line:

module(load="imuxsock") # provides support for local system logging

The purpose of this line is to direct the Rsyslog to load the “imuxsock” module to receive messages through /dev/log.

Then, there is a block for UDP syslog reception:

#module(load="imudp")
#input(type="imudp" port="514")

Although, these lines that begin with “#” are comments and are just ignored. But they tell how to configure the Rsyslog server to receive the messages on a UDP network.

As usual, the first line loads the module called “imudp”. The second line specifies the UDP port 514 as the port on which the module should listen for logging messages. When you want to use this feature, just comment out the lines.

Rules Section

At the bottom of the config file, there is a block which contains the following lines:

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

Other files can be added in a Rsyslog configuration, making it simple to manage the files particularly while overseeing a large network of systems. This directive instructs rsyslogd to load all files inside the /etc/rsyslog.d.

Selectors and Actions

To send a log message somewhere, we have to define a rule that matches the message. For example, consider the following line from /etc/syslog.d/50-Default.conf:

*.=debug                        /var/log/debug

Here, the first part, “*.=debug”, is a selector. The next part, “/var/log/debug”, is the path to the location where Rsyslogd puts the filtered messages.

The filters part of a rule chooses a part of Syslog messages. The action part decides what action is to be performed with these messages.

Rsyslog has different ways of filtering the Syslog messages based on the chosen properties. The filtering methods can be classified based on: Facility/Priority, Property, and Expressions.

The actions part, as mentioned earlier, specifies what to do with the previously-filtered messages. Actions can be storing the syslog messages to the log files, transferring the Syslog messages across a network, etc.

Getting the Rsyslog Documentation

A comprehensive documentation of the Rsyslog application can be seen online at https://www.rsyslog.com/doc/. However, a local documentation package called rsyslog-doc can also be installed on your system.

To install this package on RHEL 8, you need to have an Appstream repository installed and an administrative access on your system. Once these requirements are met, simply run the following command to install this package:

$ yum install rsyslog-doc

To verify if the package are installed correctly, run the following command:

$ firefox /usr/share/doc/rsyslog/html/index.html &

Editing the Rsyslog.Conf File

Before editing this file, take a backup so that we can restore to a safe point if something goes wrong.

Let’s configure this file for UDP. We now open this file and uncomment the lines corresponding to UDP:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

Similarly, to configure this file for TCP reception, uncomment the lines corresponding to TCP:

# Provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514"

Conclusion

This tutorial presents an overview of the Rsyslog service in Linux. You can also refer to the main pages to explore on the detailed information about this service.

About the author

Ali Imran Nagori

Ali imran is a technical writer and Linux enthusiast who loves to write about Linux system administration and related technologies. You can connect with him on LinkedIn
.

View all posts