Configuring rsyslog

Configure rsyslog to include custom organization-specific behaviors.

You can customize rsyslog configuration in two ways:

  • Edit the /etc/rsyslog.conf file.
  • Create a configuration file and store it in the /etc/rsyslog.d directory. You can select this option to prevent custom configurations from being overwritten when system packages are updated.

Some changes are straightforward to implement within the /etc/rsyslog.conf file, such as configuring the log for a specific selector. For example, to change the log for cron messages to cron_new, add the following line: 

cron.*     /var/log/cron_new

Restart the rsyslog service for the change to take effect.

Other changes often require more parameter definitions and steps.

For example, you can create a rule that uses TCP to forward messages to another server where system messages are logged. The following steps implement this sample rule:

  1. Create a separate file, for example, /etc/rsyslog.d/forwarding, and set the parameters for TCP forwarding in that file, similar to the following:
    *.* action(type="omfwd"
  queue.filename="fwdRule1"
  queue.maxdiskspace="1g"
  queue.saveOnShutdown="on"
  queue.type="linkedlist"
  action.resumeRetryCount="-1"
  target="example.com" port="30514" protocol="tcp"
)

    The following list explains the purpose and allowed values for each setting:

    queue.filename

    This is the prefix to be attached to the names of each backup file. The prefixed backup files are created in the location as specified by the workDir global directive, for example, global(workDirectory="/var/log").

    queue.maxdiskspace

    Sets the space limit for log files.

    queue.saveOnShutdown

    Sets whether data is saved in memory if rsyslog shuts down.

    queue.type

    Allows a LinkedList in-memory queue.

    action.resumeRetryCount

    Sets number of retries. A setting of -1 retries indefinitely if the remote host is unavailable.

    target

    This can be a remote host name or an IP address.

    Based on the sample configuration, rsyslog forwards messages to the remote server remote-host.com. The rsyslog service also keeps the message in memory in case the remote server is unavailable. If rsyslog shuts down or has exhausted allotted memory, then rsyslog creates files on disk with the appropriate prefix to the file names.

  2. Open the /etc/rsyslog.conf configuration file and ensure that the module for TCP syslog reception is loaded. Verify that the comment marks are removed from the following lines:
    module(load="imtcp")
input(type="imtcp" port="514")
  3. Also ensure that the global directive to include /etc/rsyslog.d files in rsyslog configuration is enabled. Verify that the following line isn't commented out:
    include(file="/etc/rsyslog.d/*.conf" mode="optional")
  4. Save the /etc/rsyslog.conf configuration file and exit.
  5. Restart the rsyslog service by running the following command:
    sudo systemctl restart rsyslog

A new system logging rule has been configured, and now forwards system messages to another server.

To manage the rotation and archival of the correct logs, edit the /etc/logrotate.d/syslog configuration file so that it references each of the log files that are defined in the RULES section of the /etc/rsyslog.conf configuration file.

To configure how often the logs are rotated and how many past copies of the logs are archived, edit the /etc/logrotate.conf configuration file.

For more information about log rotation, see the logrotate(8), logwatch(8), rsyslogd(8) and rsyslog.conf(5) manual pages.