A central loghost

As promised in my previous post, my configuration for a central loghost using rsyslog.

Most of my clients connect using tls, however some devices do not support this (dd-wrt for example), so I also open an udp socket for use on the lan only.

I use splunk to mine my logs.

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

# UDP socket for lan (dd-wrt etc)
$ModLoad imudp
$UDPServerRun 514

# TCP socket for tls clients
$ModLoad imtcp

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog/loghost.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog/loghost.key.pem

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.ryoku.org
$InputTCPServerStreamDriverPermittedPeer *.home
$InputTCPServerStreamDriverMode 1
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

$IncludeConfig /etc/rsyslog.d/*.conf

# Templates for central loghost
$template t-messages,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/messages"
$template t-debug,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/debug"

$template t-auth,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/auth.log"
$template t-syslog,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/syslog"
$template t-cron,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/cron.log"
$template t-daemon,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/daemon.log"
$template t-kern,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/kern.log"
$template t-lpr,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/lpr.log"
$template t-mail,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/mail.log"
$template t-user,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/user.log"

$template t-mail-info,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/mail.info"
$template t-mail-warn,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/mail.warn"
$template t-mail-err,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/mail.err"

# Standard logfiles
auth,authpriv.*			?t-auth
*.*;auth,authpriv.none		-?t-syslog
#cron.*				?t-cron
daemon.*			-?t-daemon
kern.*				-?t-kern
lpr.*				-?t-lpr
mail.*				-?t-mail
user.*				-?t-user

# Mail logging
mail.info			-?t-mail-info
mail.warn			-?t-mail-warn
mail.err			?t-mail-err

# Catchall
*.=debug;\
	auth,authpriv.none;\
	news.none;mail.none	-?t-debug
*.=info;*.=notice;*.=warn;\
	auth,authpriv.none;\
	cron,daemon.none;\
	mail,news.none		-?t-messages

# Emerg goes to all who are logged in
*.emerg				*

Related posts:

Using syslog-ng as a central loghost Today I woke up and found out that syslog-ng 3.0...
Fun with puppet and rsyslog Today I switched from syslog-ng to rsyslog, I am also...

Related posts brought to you by Yet Another Related Posts Plugin.

About this entry

You’re currently reading “A central loghost,” an entry on ryoku.org

Published:: 12.27.09 / 2am

Category:: Computing

Tags:: syslog

No comments

Jump to comment form | comments rss [?] | trackback uri [?]

Have your say

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Pages

Recently

Categories