Logging (Buster)
Jump to navigation
Jump to search
While rsyslog obviously has a version, your use for it is going to be installation specific, and this logging documentation is specific to this version's guide. Of course, there are certainly parts you might be interested in for different installs.
Note after editing rsyslog.conf you will want to restart it:
systemctl restart rsyslog
/etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0007
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none;\
mail,local2.none -/var/log/syslog
cron.* -/var/log/cron.log
daemon.* -/var/log/daemon.log
kern.*;kern.!=debug -/var/log/kern.log
:msg, contains, "IPTables: " -/var/log/iptables.log
:msg, contains, "Hackers: " -/var/log/hackers.log
:msg, contains, "IP6Tables: " -/var/log/ip6tables.log
:msg, contains, "Hackers6: " -/var/log/hackers6.log
lpr.* -/var/log/lpr.log
#mail.* -/var/log/mail.log
user.* -/var/log/user.log
local1.* -/var/log/opendkim.log
local2.* -/var/log/dovecot.log
local6.* -/var/log/clamav.log
# Log by severity
*.err /var/log/error.log
*.=warn;mail.none;local2.none -/var/log/warning.log
# Split up mail logs appropriately.
mail.=notice;mail.=debug -/var/log/mail.notice
mail.=info -/var/log/mail.info
mail.warn -/var/log/mail.warn
local2.warn -/var/log/dovecot.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;kern.none;\
local2.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none;\
local2.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
Logrotate
You'll want to edit or add specific entries in /etc/logrotate.d/ as needed.
/etc/logrotate.d/rsyslog
/var/log/syslog
{
rotate 14
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.notice
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/dovecot.log
/var/log/dovecot.warn
/var/log/clamav.log
/var/log/daemon.log
/var/log/iptables.log
/var/log/hackers.log
/var/log/ip6tables.log
/var/log/hackers6.log
/var/log/opendkim.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/error.log
/var/log/warning.log
/var/log/debug
/var/log/messages
{
rotate 13
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/etc/logrote.conf
# see "man logrotate" for details # rotate log files weekly weekly
# keep 4 weeks worth of backlogs rotate 26
# create new (empty) log files after rotating old ones create
# use date as a suffix of the rotated file #dateext
# uncomment this if you want your log files compressed compress delaycompress
# packages drop log rotation information into this directory include /etc/logrotate.d