https://www.chepkov.com/w/index.php?action=history&feed=atom&title=RSyslogRSyslog - Revision history2026-04-28T17:22:15ZRevision history for this page on the wikiMediaWiki 1.43.6https://www.chepkov.com/w/index.php?title=RSyslog&diff=229&oldid=prevVvc at 21:09, 3 February 20092009-02-03T21:09:44Z<p></p>
<p><b>New page</b></p><div>__TOC__<br />
===Write syslog into Postgres database===<br />
* create '''syslog''' table<br />
<source lang="sql"><br />
CREATE TABLE syslog<br />
(<br />
id SERIAL PRIMARY KEY,<br />
host VARCHAR(32) NULL,<br />
facility VARCHAR(10) NULL,<br />
priority VARCHAR(10) NULL,<br />
tag VARCHAR(32) NULL,<br />
timestamp TIMESTAMP WITHOUT TIME ZONE NULL,<br />
message TEXT<br />
);<br />
</source><br />
* create user id and grant permissions to insert new entries<br />
<source lang="sql"><br />
CREATE USER sysuser PASSWORD 'syspass';<br />
GRANT INSERT ON syslog TO sysuser;<br />
GRANT SELECT,UPDATE ON syslog_id_seq TO sysuser;<br />
</source><br />
* install '''rsyslog-pgsql''' package<br />
----<br />
rsyslog configuration by default is in '''/etc/rsyslog.conf'''<br />
----<br />
* enable postrges support<br />
$ModLoad ompgsql.so<br />
* enable logging from remote hosts if needed<br />
$ModLoad imudp.so<br />
$UDPServerRun 514<br />
* add sql statement template<br />
<pre><br />
$template syslogSQL,"insert into syslog (host,facility,priority,tag,timestamp,message) \<br />
values ('%HOSTNAME%','%syslogfacility-text%','%syslogpriority-text%','%syslogtag:F,58:1%','%timereported:::date-pgsql%','%msg%')",stdsql<br />
</pre><br />
* set secure permission on configuration file, since we are going to store password to access postgres database there<br />
chmod 600 /etc/rsyslog.conf<br />
* add action statement <br />
*.* :ompgsql:localhost,syslogdb,sysuser,syspass;syslogSQL<br />
* add the following configuration to ensure log entries will be preserved if database was busy of temporary unavailable<br />
<pre><br />
$WorkDirectory /var/lib/rsyslog # where to place spool files<br />
$ActionQueueFileName dbq # unique name prefix for spool files<br />
$ActionQueueMaxDiskSpace 512M # 512M space limit (use as much as possible)<br />
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown<br />
$ActionQueueType LinkedList # run asynchronously<br />
$ActionResumeRetryCount -1 # infinite retries if host is down<br />
</pre><br />
* create spool directory<br />
mkdir /var/lib/rsyslog<br />
* if you use [http://www.nsa.gov/research/selinux/ SELinux], you might need to change your local policy<br />
:* local.te<br />
<pre><br />
type rsyslog_var_lib_t;<br />
files_type(rsyslog_var_lib_t);<br />
<br />
manage_files_pattern(syslogd_t, rsyslog_var_lib_t, rsyslog_var_lib_t)<br />
manage_dirs_pattern(syslogd_t, rsyslog_var_lib_t, rsyslog_var_lib_t)<br />
</pre><br />
:* local.fc<br />
/var/lib/rsyslog(/.*)? gen_context(system_u:object_r:rsyslog_var_lib_t,s0)<br />
:* fix security context<br />
restorecon -vR /var/lib/rsyslog<br />
* start using rsyslog<br />
service rsyslog start<br />
* add a maintenance script which will remove old entries, for example<br />
<source lang="sql"><br />
DELETE FROM syslog WHERE timestamp < LOCALTIMESTAMP - INTERVAL '30 days';<br />
</source><br />
===Write syslog entries from a host to a separate file===<br />
<pre><br />
# Router<br />
:FROMHOST, isequal, "vzrouter" -/var/log/vzrouter.log<br />
</pre><br />
:<tt>'-'</tt> in front of a log file name instructs rsyslog to omit syncing the file after every logging<br />
* Don't forget to add '''/var/log/vzrouter.log''' into '''/etc/logrotate.d/syslog'''<br />
<br />
[[Category:Linux]]</div>Vvc