Log shipping

From silverwiki

Shipping logswith syslogd and rsyslog

rsyslog receiver

set up a machine with debian wheezy and note the ip. apt-get install rsyslog. Then vi /etc/rsyslog.conf and uncomment this stuff under modules:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Add a rule to split logs into files by hostname (smartquotes are the devil and syntax errors are his birdsong)

###############
#### RULES ####
###############

$template DynFile,"/var/log/syslog-%HOSTNAME%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?DynFile
:fromhost-ip, !isequal, "127.0.0.1" ~

and then restart it

service rsyslog restart

syslogd sender

Pretend your rsyslog server is at 192.168.10.18. On the openbsd machine edit /etc/syslog.conf

#*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @logger
#auth,daemon,syslog,user.info;authpriv,kern.debug                @logger

becomes

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @192.168.10.18
auth,daemon,syslog,user.info;authpriv,kern.debug                @192.168.10.18

AFAIK, @@ is TCP and @ is UDP, but I found that in rsyslog dox not syslogd, and @@ip:port didn't work at all for me.

ps auxw | grep _sys
kill -HUP $thesyslogdpidfromabove

rsyslogd sender

apt-get install rsyslog -y

now edit /etc/rsyslog.conf and add:

*.*   @@192.168.10.18:514

and restart it

service rsyslog restart

Using @@ip:port seems to work here, yay?

view

Now run cat /var/log/syslog-hostname.log on the log box (192.168.10.18).

apache2 with rsyslog5

forwarding is pretty easy for apache with rsyslog8, but I had a lot of trouble getting 5 working. This did the job. I had to add a bit for each log file.

$ModLoad imfile 
$InputFileName /var/log/apache2/access.log        
$InputFileTag apache:
$InputFileStateFile stat1
$InputRunFileMonitor
$InputFileName /var/log/apache2/silvermag.net.error.log
$InputFileTag apache:
$InputFileStateFile stat2
$InputRunFileMonitor
$InputFileName /var/log/apache2/agmccollum.com.access.log
$InputFileTag apache:
$InputFileStateFile stat3
$InputRunFileMonitor
$InputFileName /var/log/apache2/silvermag.net.ssl.access.log
$InputFileTag apache:
$InputFileStateFile stat4
$InputRunFileMonitor
$InputFileName /var/log/apache2/agmccollum.com.error.log
$InputFileTag apache:
$InputFileStateFile stat5
$InputRunFileMonitor
$InputFileName /var/log/apache2/silvermag.net.ssl.error.log
$InputFileTag apache:
$InputFileStateFile stat6
$InputRunFileMonitor
$InputFileName /var/log/apache2/error.log
$InputFileTag apache:
$InputFileStateFile stat7
$InputRunFileMonitor
$InputFileName /var/log/apache2/what.butt.access.log
$InputFileTag apache:
$InputFileStateFile stat8
$InputRunFileMonitor
$InputFileName /var/log/apache2/other_vhosts_access.log
$InputFileTag apache:
$InputFileStateFile stat9
$InputRunFileMonitor
$InputFileName /var/log/apache2/what.butt.error.log
$InputFileTag apache:
$InputFileStateFile stat10
$InputRunFileMonitor
$InputFileName /var/log/apache2/silvermag.net.access.log
$InputFileTag apache:
$InputFileStateFile stat11
$InputRunFileMonitor


*.*   @@192.168.10.40:514


links

http://blog.josefsson.org/2011/12/12/small-syslog-server/