Difference between revisions of "Logging (Buster)"

From Hexwiki
Jump to navigation Jump to search
Line 1: Line 1:
 +
 +
== /etc/rsyslog.conf ==
 +
 +
# /etc/rsyslog.conf configuration file for rsyslog
 +
#
 +
# For more information install rsyslog-doc and see
 +
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
 +
 +
 +
#################
 +
#### MODULES ####
 +
#################
 +
 +
module(load="imuxsock") # provides support for local system logging
 +
module(load="imklog")  # provides kernel logging support
 +
#module(load="immark")  # provides --MARK-- message capability
 +
 +
# provides UDP syslog reception
 +
#module(load="imudp")
 +
#input(type="imudp" port="514")
 +
 +
# provides TCP syslog reception
 +
#module(load="imtcp")
 +
#input(type="imtcp" port="514")
 +
 +
 +
###########################
 +
#### GLOBAL DIRECTIVES ####
 +
###########################
 +
 +
#
 +
# Use traditional timestamp format.
 +
# To enable high precision timestamps, comment out the following line.
 +
#
 +
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 +
 +
#
 +
# Set the default permissions for all log files.
 +
#
 +
$FileOwner root
 +
$FileGroup adm
 +
$FileCreateMode 0640
 +
$DirCreateMode 0755
 +
$Umask 0007
 +
 +
#
 +
# Where to place spool and state files
 +
#
 +
$WorkDirectory /var/spool/rsyslog
 +
 +
#
 +
# Include all config files in /etc/rsyslog.d/
 +
#
 +
$IncludeConfig /etc/rsyslog.d/*.conf
 +
 +
 +
###############
 +
#### RULES ####
 +
###############
 +
 +
#
 +
# First some standard log files.  Log by facility.
 +
#
 +
auth,authpriv.*                /var/log/auth.log
 +
*.*;auth,authpriv.none;\
 +
        mail,local2.none        -/var/log/syslog
 +
cron.*                          -/var/log/cron.log
 +
daemon.*                        -/var/log/daemon.log
 +
kern.*;kern.!=debug            -/var/log/kern.log
 +
:msg, contains, "IPTables: "    -/var/log/iptables.log
 +
:msg, contains, "Hackers: "    -/var/log/hackers.log
 +
:msg, contains, "IP6Tables: "  -/var/log/ip6tables.log
 +
:msg, contains, "Hackers6: "    -/var/log/hackers6.log
 +
lpr.*                          -/var/log/lpr.log
 +
#mail.*                        -/var/log/mail.log
 +
user.*                          -/var/log/user.log
 +
local1.*                        -/var/log/opendkim.log
 +
local2.*                        -/var/log/dovecot.log
 +
local6.*                        -/var/log/clamav.log
 +
 +
# Log by severity
 +
 +
*.err                          /var/log/error.log
 +
*.=warn;mail.none;local2.none  -/var/log/warning.log
 +
 +
# Split up mail logs appropriately.
 +
 +
mail.=notice;mail.=debug        -/var/log/mail.notice
 +
mail.=info                      -/var/log/mail.info
 +
mail.warn                      -/var/log/mail.warn
 +
local2.warn                    -/var/log/dovecot.warn
 +
mail.err                        /var/log/mail.err
 +
 +
#
 +
# Some "catch-all" log files.
 +
#
 +
*.=debug;\
 +
        auth,authpriv.none;\
 +
        news.none;kern.none;\
 +
        local2.none            -/var/log/debug
 +
*.=info;*.=notice;*.=warn;\
 +
        auth,authpriv.none;\
 +
        cron,daemon.none;\
 +
        mail,news.none;\
 +
        local2.none            -/var/log/messages
 +
 +
#
 +
# Emergencies are sent to everybody logged in.
 +
#
 +
*.emerg                        :omusrmsg:*
 +
  
 
== Logrotate ==
 
== Logrotate ==
  
You'll want to edit or add specific entries in /etc/logrotate.d/ as needed. For nginx and php-fpm I like to have much longer logs (rotate weekly, 26 weeks, delaycompress).
+
You'll want to edit or add specific entries in /etc/logrotate.d/ as needed.
 +
 
 +
=== /etc/logrotate.d/rsyslog ===
 +
 
 +
/var/log/syslog
 +
{
 +
        rotate 14
 +
        daily
 +
        missingok
 +
        notifempty
 +
        delaycompress
 +
        compress
 +
        postrotate
 +
                /usr/lib/rsyslog/rsyslog-rotate
 +
        endscript
 +
}
 +
 +
/var/log/mail.notice
 +
/var/log/mail.info
 +
/var/log/mail.warn
 +
/var/log/mail.err
 +
/var/log/mail.log
 +
/var/log/dovecot.log
 +
/var/log/dovecot.warn
 +
/var/log/clamav.log
 +
/var/log/daemon.log
 +
/var/log/iptables.log
 +
/var/log/hackers.log
 +
/var/log/dovecot.log
 +
/var/log/clamav.log
 +
/var/log/ip6tables.log
 +
/var/log/hackers6.log
 +
/var/log/opendkim.log
 +
/var/log/kern.log
 +
/var/log/auth.log
 +
/var/log/user.log
 +
/var/log/lpr.log
 +
/var/log/cron.log
 +
/var/log/error.log
 +
/var/log/warning.log
 +
/var/log/debug
 +
/var/log/messages
 +
{
 +
        rotate 13
 +
        weekly
 +
        missingok
 +
        notifempty
 +
        compress
 +
        delaycompress
 +
        sharedscripts
 +
        postrotate
 +
                /usr/lib/rsyslog/rsyslog-rotate
 +
        endscript
 +
}
 +
  
 
=== /etc/logrote.conf ===
 
=== /etc/logrote.conf ===

Revision as of 03:53, 24 January 2021

/etc/rsyslog.conf

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0007

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none;\
        mail,local2.none        -/var/log/syslog
cron.*                          -/var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*;kern.!=debug             -/var/log/kern.log
:msg, contains, "IPTables: "    -/var/log/iptables.log
:msg, contains, "Hackers: "     -/var/log/hackers.log
:msg, contains, "IP6Tables: "   -/var/log/ip6tables.log
:msg, contains, "Hackers6: "    -/var/log/hackers6.log
lpr.*                           -/var/log/lpr.log
#mail.*                         -/var/log/mail.log
user.*                          -/var/log/user.log
local1.*                        -/var/log/opendkim.log
local2.*                        -/var/log/dovecot.log
local6.*                        -/var/log/clamav.log

# Log by severity

*.err                           /var/log/error.log
*.=warn;mail.none;local2.none   -/var/log/warning.log

# Split up mail logs appropriately.

mail.=notice;mail.=debug        -/var/log/mail.notice
mail.=info                      -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
local2.warn                     -/var/log/dovecot.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
        auth,authpriv.none;\
        news.none;kern.none;\
        local2.none             -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none;\
        local2.none             -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

Logrotate

You'll want to edit or add specific entries in /etc/logrotate.d/ as needed.

/etc/logrotate.d/rsyslog

/var/log/syslog
{
        rotate 14
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

/var/log/mail.notice
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/dovecot.log
/var/log/dovecot.warn
/var/log/clamav.log
/var/log/daemon.log
/var/log/iptables.log
/var/log/hackers.log
/var/log/dovecot.log
/var/log/clamav.log
/var/log/ip6tables.log
/var/log/hackers6.log
/var/log/opendkim.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/error.log
/var/log/warning.log
/var/log/debug
/var/log/messages
{
        rotate 13
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

/etc/logrote.conf

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 26

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
#dateext

# uncomment this if you want your log files compressed
compress
delaycompress

# packages drop log rotation information into this directory
include /etc/logrotate.d
Debian Buster
Initial: Designing a Server - IPMI Installation - Second Steps

Core: Network - OpenSSH - Packages - sysctl.conf - Iptables - Security - User Management

Stack: Unbound - MariaDB - Nginx - PHP (7)

Mail

Mail Setup - Mail Tables - OpenDKIM - Mail and DNS - Spamassassin - ClamAV - Postfix - Dovecot - Reputation Management

Logs and Security: RKHunter - Logging - Logcheck - Backups - AppArmor
Retrieved from "http://hexwiki.com/w/index.php?title=Logging_(Buster)&oldid=431"