Logging (Buster)

From Hexwiki
Jump to: navigation, search

While rsyslog obviously has a version, your use for it is going to be installation specific, and this logging documentation is specific to this version's guide. Of course, there are certainly parts you might be interested in for different installs.

Note after editing rsyslog.conf you will want to restart it:

systemctl restart rsyslog

/etc/rsyslog.conf

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0007

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none;\
        mail,local2.none        -/var/log/syslog
cron.*                          -/var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*;kern.!=debug             -/var/log/kern.log
:msg, contains, "IPTables: "    -/var/log/iptables.log
:msg, contains, "Hackers: "     -/var/log/hackers.log
:msg, contains, "IP6Tables: "   -/var/log/ip6tables.log
:msg, contains, "Hackers6: "    -/var/log/hackers6.log
lpr.*                           -/var/log/lpr.log
#mail.*                         -/var/log/mail.log
user.*                          -/var/log/user.log
local1.*                        -/var/log/opendkim.log
local2.*                        -/var/log/dovecot.log
local6.*                        -/var/log/clamav.log

# Log by severity

*.err                           /var/log/error.log
*.=warn;mail.none;local2.none   -/var/log/warning.log

# Split up mail logs appropriately.

mail.=notice;mail.=debug        -/var/log/mail.notice
mail.=info                      -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
local2.warn                     -/var/log/dovecot.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
        auth,authpriv.none;\
        news.none;kern.none;\
        local2.none             -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none;\
        local2.none             -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

Logrotate

You'll want to edit or add specific entries in /etc/logrotate.d/ as needed.

/etc/logrotate.d/rsyslog

/var/log/syslog
{
        rotate 14
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

/var/log/mail.notice
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/dovecot.log
/var/log/dovecot.warn
/var/log/clamav.log
/var/log/daemon.log
/var/log/iptables.log
/var/log/hackers.log
/var/log/ip6tables.log
/var/log/hackers6.log
/var/log/opendkim.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/error.log
/var/log/warning.log
/var/log/debug
/var/log/messages
{
        rotate 13
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

/etc/logrote.conf

# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 26
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
compress
delaycompress
# packages drop log rotation information into this directory
include /etc/logrotate.d