25.05.2013 21:06
24.05.2013 21:51

Remote logs with syslog and rsyslog

While syslogd is quite old, there is still a plenty of machines using it, on the server you may have however a newer OS - in my case it has rsyslog. To make those two cooperate is nasty.

sysklogd is on clients for me, rsyslog is on server.

Problems and solutions

1. Server rsyslog put all the remote logs also to a default system log and if you enable logging from remote hosts based on IP, it will also create a duplicate log with loopback IP 127.0.0.1. How to prevent this?

Solution: Use conditional logging based on hosname and discard remote logs to not go to local log

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/remote/%fromhost-ip%-syslog.log"

# Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...),
# will be under a separate directory which is formed by the template FILENAME.
# put this before *.*; /var/log/syslog etc.
if ($hostname != 'logserver') then ?FILENAME

&~
2. Client syslogd is not sending log messages with a hostname thru remote logging directive
*.*;    @logserver
and you can not store the message on the server based on the hostname, but you have to use IP address. This is a problem if you have a machine with more than one IP and you do not know, which one will be used to transmit a message (typically routers).

Solution: NAT the messages going out of the client to look like they are still from the same IP

iptables -t nat -A POSTROUTING -p udp -d logserver --dport 514 -j SNAT --to <my IP address>

3. Client e.g. httpd apache logs are not going thru syslog by default, apache2 can log remotely, you have to redirect the apache logs to syslog. Most interested I am in access logs.

Solution: Change the apache CustomLog directive to go to /usr/bin/logger instead of /var/log/apache2/access.log

CustomLog |/usr/bin/logger combined

Disadvantage is, you will no longer have entries in access.log, but you may do a more clever solution with own script and split the logs again based on localX directive in syslog.


Email comment