1 00:00:07,170 --> 00:00:09,900 - All right, apart from the systemd journal, 2 00:00:09,900 --> 00:00:11,130 as we have just discussed, 3 00:00:11,130 --> 00:00:14,490 rsyslogd is still pretty important as well. 4 00:00:14,490 --> 00:00:16,470 So let's have a quick look at it. 5 00:00:16,470 --> 00:00:17,730 So in rsyslogd, 6 00:00:17,730 --> 00:00:19,650 facilities and priorities are used 7 00:00:19,650 --> 00:00:21,600 to define how logging should happen, 8 00:00:21,600 --> 00:00:25,260 and where the log information is written to. 9 00:00:25,260 --> 00:00:26,880 Facilities define the item 10 00:00:26,880 --> 00:00:29,010 for which logging is happening. 11 00:00:29,010 --> 00:00:32,880 And that's also one of the weak spots of rsyslogd. 12 00:00:32,880 --> 00:00:35,730 The facilities were created a long time ago, 13 00:00:35,730 --> 00:00:39,540 and nowadays there's not enough adequate facilities 14 00:00:39,540 --> 00:00:40,950 to address all the services 15 00:00:40,950 --> 00:00:44,100 that are typically running on Linux. 16 00:00:44,100 --> 00:00:46,230 Priorities define the severity levels 17 00:00:46,230 --> 00:00:48,840 in which case messages should be logged. 18 00:00:48,840 --> 00:00:51,270 And modules can be used to handle log input 19 00:00:51,270 --> 00:00:53,070 and log output as well. 20 00:00:53,070 --> 00:00:54,093 Let's check it out. 21 00:00:57,120 --> 00:01:00,873 So our main configuration is in /etc/rsyslog.conf. 22 00:01:01,860 --> 00:01:06,240 Notice that there is also a directory for dropping files, 23 00:01:06,240 --> 00:01:08,100 which by default is empty, 24 00:01:08,100 --> 00:01:10,740 but you may find packages on your distribution 25 00:01:10,740 --> 00:01:14,010 that have dropped additional rsyslog configuration 26 00:01:14,010 --> 00:01:16,053 in /etc/rsyslog.d. 27 00:01:17,130 --> 00:01:20,430 Now, what do we see? We see the global directives. 28 00:01:20,430 --> 00:01:22,020 So in the global directives, 29 00:01:22,020 --> 00:01:24,780 well, this is just global information, 30 00:01:24,780 --> 00:01:26,823 not the most important part. 31 00:01:27,780 --> 00:01:30,360 Here we have the module information, 32 00:01:30,360 --> 00:01:33,120 and in this module information we can see, for instance, 33 00:01:33,120 --> 00:01:34,923 module load is imjournal. 34 00:01:36,000 --> 00:01:38,310 I-M stands for input module. 35 00:01:38,310 --> 00:01:41,010 And this module ensures that rsyslog 36 00:01:41,010 --> 00:01:42,750 is including all information 37 00:01:42,750 --> 00:01:44,350 that was written to the journal. 38 00:01:46,380 --> 00:01:49,500 Another input module that is interesting 39 00:01:49,500 --> 00:01:54,450 is right here: imudp, port is 514. 40 00:01:54,450 --> 00:01:56,370 If you want rsyslog to be configured 41 00:01:56,370 --> 00:01:58,770 as a centralized log server, 42 00:01:58,770 --> 00:02:00,780 then you need to enable this module 43 00:02:00,780 --> 00:02:03,780 as well as the imtcp module, 44 00:02:03,780 --> 00:02:06,270 which allows you to send log events 45 00:02:06,270 --> 00:02:09,780 using the old UDP transport mechanism 46 00:02:09,780 --> 00:02:13,053 or the newer and more secure TCP transport mechanism. 47 00:02:13,920 --> 00:02:15,680 And then we have the rules. 48 00:02:15,680 --> 00:02:18,750 The rules is where we get to the heart of rsyslog. 49 00:02:18,750 --> 00:02:20,127 So here we can see the rule 50 00:02:20,127 --> 00:02:24,450 *.info;mail.none;authpriv.none;cron.none. 51 00:02:24,450 --> 00:02:25,663 What does that mean? 52 00:02:25,663 --> 00:02:26,910 * is anything. 53 00:02:26,910 --> 00:02:31,620 So for everything with a severity of info and higher, 54 00:02:31,620 --> 00:02:33,900 but not for mail and authpriv and cron, 55 00:02:33,900 --> 00:02:35,793 we write to /var/log/messages. 56 00:02:37,020 --> 00:02:38,850 And what is happening with authpriv? 57 00:02:38,850 --> 00:02:40,890 Well, authpriv is a facility 58 00:02:40,890 --> 00:02:42,870 that relates to authentication 59 00:02:42,870 --> 00:02:44,850 and everything that comes from authpriv 60 00:02:44,850 --> 00:02:46,860 is written to /var/log/secure. 61 00:02:46,860 --> 00:02:48,540 Everything that comes from mall 62 00:02:48,540 --> 00:02:50,550 is written to /var/log/maillog, 63 00:02:50,550 --> 00:02:52,380 and that's how it works. 64 00:02:52,380 --> 00:02:56,130 Now, here we can see an interesting one: *.emerg. 65 00:02:56,130 --> 00:02:58,560 If we get an emergency message, 66 00:02:58,560 --> 00:03:00,540 emergency is really 67 00:03:00,540 --> 00:03:04,170 where your system is not functioning correctly anymore. 68 00:03:04,170 --> 00:03:05,853 Then we write to omusrmsg. 69 00:03:07,170 --> 00:03:08,790 O-M is output module. 70 00:03:08,790 --> 00:03:11,040 So it's using a specific module 71 00:03:11,040 --> 00:03:14,253 to send a message to all users that are logged in. 72 00:03:16,080 --> 00:03:17,610 Now, is there anything else? 73 00:03:17,610 --> 00:03:20,400 Yeah, one more thing: Target= 74 00:03:20,400 --> 00:03:22,320 If you want this system to be configured 75 00:03:22,320 --> 00:03:25,350 to send log messages to a remote system, 76 00:03:25,350 --> 00:03:26,760 you should tweak this line 77 00:03:26,760 --> 00:03:28,980 and make sure that your target is set 78 00:03:28,980 --> 00:03:30,870 to the remote host's IP address, 79 00:03:30,870 --> 00:03:34,823 and port is set most likely to port 514. 80 00:03:34,823 --> 00:03:39,030 This is the default log port for rsyslog. 81 00:03:39,030 --> 00:03:40,880 And that's how you work with rsyslog. 82 00:03:42,300 --> 00:03:43,470 Oh, and one thing. 83 00:03:43,470 --> 00:03:45,180 If you made modifications, 84 00:03:45,180 --> 00:03:50,180 don't forget systemctl restart rsyslog.service, 85 00:03:50,550 --> 00:03:53,280 because otherwise it won't pick up the modifications 86 00:03:53,280 --> 00:03:54,513 automatically for you.