ryoku.org » syslog http://www.ryoku.org Nerd stuff Sat, 04 Sep 2010 21:55:23 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 A central loghost http://www.ryoku.org/2009/12/a-central-loghost/ http://www.ryoku.org/2009/12/a-central-loghost/#comments Sun, 27 Dec 2009 01:39:34 +0000 Arijan http://www.ryoku.org/?p=181 As promised in my previous post, my configuration for a central loghost using rsyslog.

Most of my clients connect using tls, however some devices do not support this (dd-wrt for example), so I also open an udp socket for use on the lan only.

I use splunk to mine my logs.

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

# UDP socket for lan (dd-wrt etc)
$ModLoad imudp
$UDPServerRun 514

# TCP socket for tls clients
$ModLoad imtcp

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog/loghost.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog/loghost.key.pem

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.ryoku.org
$InputTCPServerStreamDriverPermittedPeer *.home
$InputTCPServerStreamDriverMode 1
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

$IncludeConfig /etc/rsyslog.d/*.conf

# Templates for central loghost
$template t-messages,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/messages"
$template t-debug,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/debug"

$template t-auth,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/auth.log"
$template t-syslog,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/syslog"
$template t-cron,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/cron.log"
$template t-daemon,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/daemon.log"
$template t-kern,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/kern.log"
$template t-lpr,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/lpr.log"
$template t-mail,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/mail.log"
$template t-user,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/user.log"

$template t-mail-info,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/mail.info"
$template t-mail-warn,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/mail.warn"
$template t-mail-err,"/var/log/hosts/%HOSTNAME%/%$YEAR%%$MONTH%/mail.err"

# Standard logfiles
auth,authpriv.*			?t-auth
*.*;auth,authpriv.none		-?t-syslog
#cron.*				?t-cron
daemon.*			-?t-daemon
kern.*				-?t-kern
lpr.*				-?t-lpr
mail.*				-?t-mail
user.*				-?t-user

# Mail logging
mail.info			-?t-mail-info
mail.warn			-?t-mail-warn
mail.err			?t-mail-err

# Catchall
*.=debug;\
	auth,authpriv.none;\
	news.none;mail.none	-?t-debug
*.=info;*.=notice;*.=warn;\
	auth,authpriv.none;\
	cron,daemon.none;\
	mail,news.none		-?t-messages

# Emerg goes to all who are logged in
*.emerg				*
]]> http://www.ryoku.org/2009/12/a-central-loghost/feed/ 0 Fun with puppet and rsyslog http://www.ryoku.org/2009/12/fun-with-puppet-and-rsyslog/ http://www.ryoku.org/2009/12/fun-with-puppet-and-rsyslog/#comments Sun, 27 Dec 2009 00:48:11 +0000 Arijan http://www.ryoku.org/?p=179 Today I switched from syslog-ng to rsyslog, I am also working with puppet nowadays, I wrote a module for puppet that provides my syslog clients with their certificates (I use TLS to secure the transport)

Below is the module I wrote for puppet, the script I wrote to generate certificates for the client machine store the certificates into the files area of the module.

class rsyslog-client {

	package { "rsyslog":
		ensure => present,
	}

	package { "rsyslog-gnutls":
		ensure => present,
	}

	service { "rsyslog":
		ensure => running,
	}

	host { "loghost":
		ensure => present,
		name => "loghost",
		ip => "$loghost",
	}

	file { "/etc/rsyslog":
		ensure => directory,
	}	

	file { "/etc/rsyslog/$fqdn.key.pem":
		owner => root,
		group => root,
		source => "puppet:///rsyslog-client/$fqdn.key.pem",
		ensure => file,
		notify => service["rsyslog"],
	}

	file { "/etc/rsyslog/$fqdn.pem":
		owner => root,
		group => root,
		source => "puppet:///rsyslog-client/$fqdn.pem",
		ensure => file,
		notify => service["rsyslog"],
	}

	file { "/etc/rsyslog/ca.pem":
		owner => root,
		group => root,
		source => "puppet:///rsyslog-client/ca.pem",
		ensure => file,
		notify => service["rsyslog"],
	}

	file { "/etc/rsyslog.conf":
		owner 	=> root,
		group	=> root,
		content => template("rsyslog-client/rsyslog.conf.erb"),
		ensure  => file,
		require => package["rsyslog"],
		notify  => service["rsyslog"]
	}

}

I’ll post my rsyslog.conf of the central loghost when I have written a decent one.

]]> http://www.ryoku.org/2009/12/fun-with-puppet-and-rsyslog/feed/ 0