Rsyslog

Basic Install

Template for receiving remote messages

limit access from to specific subnet, IP or domain

Rsyslog TLS Configuration (Loggly)

Stream to Loggly

Errors in logs

ref;https://computingforgeeks.com/configure-rsyslog-centralized-log-server-on-ubuntu/

Basic Install

sudo apt install rsyslog -y

sudo apt install net-tools

systemctl start rsyslog

systemctl enable rsyslog

sudo nano /etc/rsyslog.conf

uncomment

# provides UDP syslog reception 2 UDP and TCP lines

module(load="imudp")

input(type="imudp" port="514")

# provides TCP syslog reception

module(load="imtcp")

input(type="imtcp" port="514")

systemctl restart rsyslog

# then test

netstat -4altunp | grep 514

tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -

udp 0 0 0.0.0.0:514 0.0.0.0:* -

#check config

rsyslogd -f /etc/rsyslog.conf -N1

rsyslogd: version 8.2001.0, config validation run (level 1), master config /etc/rsyslog.conf

rsyslogd: End of config validation run. Bye.

Template for receiving remote messages

$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"

*.* ?remote-incoming-logs

& ~

The received logs will be parsed using the template above and stored inside directory/var/log/. The file naming follows the convention: %HOSTNAME% and %PROGRAMNAME% variables, i.e the client hostname, and client facility that produced the log message.

The & ~ instructs rsyslog daemon to store the log message only to a specified file.

#View logs
#Device Name #log name
tail -f /var/log/SRX110_DC2/RT_FLOW.log

limit access from to specific subnet, IP or domain

$AllowedSender TCP, 127.0.0.1, 192.168.10.0/24, *.example.com

Rsyslog TLS Configuration (Loggly)

sudo apt-get install rsyslog-gnutls

nano /etc/rsyslog.d/22-loggly.conf

# Setup disk assisted queues

$WorkDirectory /var/spool/rsyslog # where to place spool files

$ActionQueueFileName fwdRule1 # unique name prefix for spool files

$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)

$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

$ActionQueueType LinkedList # run asynchronously

$ActionResumeRetryCount -1 # infinite retries if host is down

#RsyslogGnuTLS

$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt

template(name="LogglyFormat" type="string"

string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"RsyslogTLS\"] %msg%\n"

)

# Send messages to Loggly over TCP using the template.

action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="6514" template="LogglyFormat" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.loggly.com")

TOKEN: your customer token from the source setup page

Open your /etc/rsyslog.conf and modify the $MaxMessageSize with

$MaxMessageSize 64k

If $MaxMessageSize is not present then add it in your configuration. For this to work perfectly, add it in the top of the configuration file.

Stream to Loggly

There should be a section in the rsyslog config that will look like this:

# Setup disk assisted queues

$WorkDirectory /var/spool/rsyslog # where to place spool files

$ActionQueueFileName fwdRule1 # unique name prefix for spool files

$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)

$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

$ActionQueueType LinkedList # run asynchronously

$ActionResumeRetryCount -1 # infinite retries if host is down

You can remove the ActionQueueFileName and ActionQueueMaxDiskSpace entries to disable queueing in disk and keep an in-memory buffer, or if you want every message to just be directly and immdediatley forwarded without any buffering then you should just remove the whole block

We'd recommend keeping an in-memory queue so that there's some degree of buffering

Errors in logs

Dec 8 18:33:08 xst01 rsyslogd: action 'action-6-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2001.0 try https://www.rsyslog.com/e/2007 ]

Open /etc/rsyslog.conf and comment or remove the following lines.

# # Set the default permissions for all log files. #

#$FileOwner syslog

#$FileGroup adm

#$FileCreateMode 0640

#$DirCreateMode 0755

#$Umask 0022

#$PrivDropToUser syslog

#$PrivDropToGroup syslog

REF;

https://forum.virtualmin.com/t/got-some-strange-rsyslogd-error-messages/108474

https://askubuntu.com/questions/1066997/every-few-minutes-rsyslog-outputs-rsyslogd-action-action-3-resumed-module/1086743#1086743