A. Install and configure Rsyslog
Rsyslog is the recommended syslog server on Linux, and has replaced the “syslogd” program. It is has better features and improvements such as TCP log transmission, encryption and can log to database.
1. Install the package
apt install rsyslog
2. Verify if rsyslog is installed
dpkg -s rsyslog
3. Verify if rsyslog is enabled
systemctl is-enabled rsyslog
If not enable, execute the commands to enable rsyslog
systemctl –now enable rsyslog
4. Configure logging
Note: Configuration file is /etc/rsyslog.conf and additional files are located under /etc/rsyslog.d/ directory
Here’s a sample configuration of /etc/rsyslog.conf
*.emerg :omusrmsg:*
auth,authpriv.* /var/log/auth.log
mail.* -/var/log/mail mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
Reload the configuration:
systemctl reload rsyslog
5. Set rsyslog for default file permission
Recommendation: (/etc/rsyslog.conf and /etc/rsyslog.d/*.conf)
$FileCreateMode 0640
6. Configure to accept authorized hosts
This is to provide security to only accept from authorized IPs or hosts and protect from spoofed logs.
There are 2 options for providing remote syslog reception:
a. UDP (faster but not that reliable)
Old config:
$ModLoad imudp
$UDPServerRun 514
New config:
module(load=”imudp”)
input(type=”imudp” port=”514″)
b. TCP (slower but reliable)
Old config:
$ModLoad imtcp
$InputTCPServerRun 514
New config:
module(load=”imtcp”)
input(type=”imtcp” port=”514″)
7. Configure to send logs remotely
-it is recommended to send logs to a centralised remote syslog server
Under the /etc/rsyslog.conf, add the following config
*. * @@192.168.2.254:514
where:
*.* -> to send all the logs to remote host
@@ -> directs logs to the server (can be FQDN or IP), it will use TCP
192.168.2.254 –> is the remote syslog host
514 –> port number
To take effect all the changes, restart the rsyslog process
systemctl stop rsyslog
systemctl start rsyslog
B. Configure systemd-journald
systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed
journals based on logging information that is received from a variety of sources:
- Kernel log messages, via kmsg
- Simple system log messages, via the libc syslog(3) call
- Structured system log messages via the native Journal API
- Standard output and standard error of system services
- Audit records
1. Configure journald to send logs to syslog
Under the /etc/systemd/journald.conf, uncomment to enable
ForwardToSyslog=yes
2. Configure to compress large log files
Under the /etc/systemd/journald.conf, uncomment to enable
Compress=yes
3. Configure to write logs to persistent disk
This can help to protect from loss upon server reboot
Under the /etc/systemd/journald.conf, uncomment to enable
Storage=persistent
C. Configure logrotate
Two files that need to look through as per your requirement and policy
a. /etc/logrotate.d/rsyslog
Here’s sample settings:
/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
b. /etc/logrotate.conf
Here’s sample settings:
# rotate log files weekly
weekly
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}
Note: Make sure to set the correct permissions. Under the /etc/logrotate.conf, should be “create 0640 root utmp”
