Logging (Wheezy)

From Hexwiki
Jump to: navigation, search

While rsyslog obviously has a version, your use for it is going to be installation specific, and this logging documentation is specific to the Debian Wheezy guide. Of course, there are certainly parts you might be interested in for different installs.

Rsyslog

The bottom configuration has not changed much for me over the past half-decade. The main thing is splitting up the mail logs - they get to be immense once you start sending a lot of email.

Don't forget to restart rsyslog after editing this file:

/etc/init.d/rsyslog restart

/etc/rsyslog.conf

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
# Use traditional timestamp format.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Set the default permissions for all log files. Make them a bit more restrictive.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0007
# Includes are disabled for now.
#$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
# First some standard log files.  Log by facility.
# Log by service 
auth,authpriv.*                 /var/log/auth.log
cron.*                          -/var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*;kern.!=debug             -/var/log/kern.log
# Our IPTables rules uses the Debug level of kernel logging
# for that purpose.
:msg, contains, "IPTables: "    -/var/log/iptables.log
:msg, contains, "Hackers: "     -/var/log/hackers.log
:msg, contains, "IP6Tables: "   -/var/log/ip6tables.log
:msg, contains, "Hackers6: "    -/var/log/hackers6.log
ftp.*                           -/var/log/ftp.log
lpr.*                           -/var/log/lpr.log
news.*                          -/var/log/news.log
uucp.*                          -/var/log/uucp.log
syslog.*                        -/var/log/sys.log
user.*                          -/var/log/user.log
# While suhosin doesn't have a php5.4 edition, I've got it
# here for if it ever gets updated again. It does have some
# uses.
local0.*                        -/var/log/suhosin.log
# Most of the time, dovecot and dkim are not going to be your mail issues.
# However, they will happily fill up your mail logs if you let them.
local1.*                        -/var/log/opendkim.log
local2.*                        -/var/log/dovecot.log
# Rsyncd
local4.*                        -/var/log/rsyncd.log
# Clamav.log defaults to 6
local6.*                        -/var/log/clamav.log
# Log by severity
*.err                           /var/log/error.log
*.=warn;mail.none;local2.none   -/var/log/warning.log
# Split up mail logs appropriately.
mail.=notice;mail.=debug        -/var/log/mail.notice
mail.=info                      -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
local2.warn                     -/var/log/dovecot.warn

# Emergencies are sent to everybody logged in.
*.emerg                         *

Logrotate

  • /etc/logrotate.conf
    • rotate 26
    • uncomment compress, add delaycompress
  • /etc/logrotate.d/
    • for all entries:
    • rotate 26, weekly, unless already longer/less common
    • adjust special creation permissions (no world readable, etc)
    • add delaycompress if needed
    • MySQL:
      • add /var/log/mysql/mysql-error.log
    • Rsyslog
      • Adjust files appropriately, add suhosin, opendkim, etc.

My general policy is to keep logs for half a year. Since most issues involve the past week and change, delaycompress is almost mandatory.