Logging (Buster)
Jump to navigation
Jump to search
/etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0007
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none;\
mail,local2.none -/var/log/syslog
cron.* -/var/log/cron.log
daemon.* -/var/log/daemon.log
kern.*;kern.!=debug -/var/log/kern.log
:msg, contains, "IPTables: " -/var/log/iptables.log
:msg, contains, "Hackers: " -/var/log/hackers.log
:msg, contains, "IP6Tables: " -/var/log/ip6tables.log
:msg, contains, "Hackers6: " -/var/log/hackers6.log
lpr.* -/var/log/lpr.log
#mail.* -/var/log/mail.log
user.* -/var/log/user.log
local1.* -/var/log/opendkim.log
local2.* -/var/log/dovecot.log
local6.* -/var/log/clamav.log
# Log by severity
*.err /var/log/error.log
*.=warn;mail.none;local2.none -/var/log/warning.log
# Split up mail logs appropriately.
mail.=notice;mail.=debug -/var/log/mail.notice
mail.=info -/var/log/mail.info
mail.warn -/var/log/mail.warn
local2.warn -/var/log/dovecot.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;kern.none;\
local2.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none;\
local2.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
Logrotate
You'll want to edit or add specific entries in /etc/logrotate.d/ as needed.
/etc/logrotate.d/rsyslog
/var/log/syslog
{
rotate 14
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.notice
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/dovecot.log
/var/log/dovecot.warn
/var/log/clamav.log
/var/log/daemon.log
/var/log/iptables.log
/var/log/hackers.log
/var/log/dovecot.log
/var/log/clamav.log
/var/log/ip6tables.log
/var/log/hackers6.log
/var/log/opendkim.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/error.log
/var/log/warning.log
/var/log/debug
/var/log/messages
{
rotate 13
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/etc/logrote.conf
# see "man logrotate" for details # rotate log files weekly weekly
# keep 4 weeks worth of backlogs rotate 26
# create new (empty) log files after rotating old ones create
# use date as a suffix of the rotated file #dateext
# uncomment this if you want your log files compressed compress delaycompress
# packages drop log rotation information into this directory include /etc/logrotate.d