/etc/rsyslog.conf 設定解剖

CentOS7の/etc/rsyslog.confの標準設定を解剖してみました.

May 6, 2020 @pa_pa_paper

MODULES

標準では, 特に設定はされていないようです.

/etc/rsyslog.conf

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

GLOBAL DIRECTIVES

/etc/rsyslog.conf

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$ActionFileDefaultTemplateでログのタイムスタンプの出力形式を設定しています.
RSYSLOG_TraditionalFileFormatでは、Jan 4 12:05:14のように出力されます.

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

/etc/rsyslog.d/配下の*.confファイルをインクルードしています.

RULES

/etc/rsyslog.conf

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

プライオリティがinfo以上かつファシリティがmail, authpriv, cron以外のログを/var/log/messagesに出力します.

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

ファシリティがauthprivのログを/var/log/secureに出力します.

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

ファシリティがmailのログを/var/log/maillogに出力します.
-/var/log/maillogのように, ファイルの絶対パスの前に-をつけることで, ログの書き込み負荷を低下させることができます. ただし, 障害時にログが残らなくなる可能性もあります.

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

プライオリティがemergのログを全ユーザの端末に出力します.
omusrmsgはユーザの端末にログを出力するためのプラグインです.

RSYSLOG.CONF(5)

List of users
 Usually critical messages are also directed to ``root'' on that machine.  
You  can  specify  a list  of users that shall get the message by simply writing ":omusrmsg:" followed by the login name. 
You may specify more than one user by separating them  with  commas  (',').  
If  they're logged in they get the message (for example: ":omusrmsg:root,user1,user2").

ファシリティ, プライオリティ, アクション

ファシリティ
auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7

プライオリティ
none, debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)

アクション
ファイル名, @@ホスト名, ユーザ名, /dev/console

ログ転送ルール

/etc/rsyslog.conf

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

*.* @@remote-host:514のように指定すると, ログを転送できます.
*514はsyslogのポート番号です.

rsyslog.conf設定変更時の注意点

設定反映には、rsyslog.serviceの再起動が必要です.

# systemctl restart rsyslog.service

rsyslog設定の動作チェック

動作チェックのためにダミーのログ出力をします. loggerコマンドでログメッセージを生成できます.

$ logger -p syslog.info -t test "this is a test log."

-pオプションでファシリティ.プライオリティを指定し, -tオプションでタグを指定します.

# tail /var/log/messages
Jan  4 13:05:02 hostname test: this is a test log.

今回はファシリティにsyslogを指定したので, /var/log/messagesに上記のログが出力されました.