Logging (Wheezy)
Jump to navigation
Jump to search
While rsyslog obviously has a version, your use for it is going to be installation specific, and this logging documentation is specific to the Debian Wheezy guide. Of course, there are certainly parts you might be interested in for different installs.
Rsyslog
The bottom configuration has not changed much for me over the past half-decade. The main thing is splitting up the mail logs - they get to be immense once you start sending a lot of email.
Don't forget to restart rsyslog after editing this file:
/etc/init.d/rsyslog restart
/etc/rsyslog.conf
# /etc/rsyslog.conf Configuration file for rsyslog. ################# #### MODULES #### #################
$ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514
# provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514
########################### #### GLOBAL DIRECTIVES #### ###########################
# Use traditional timestamp format. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Set the default permissions for all log files. Make them a bit more restrictive. $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0750 $Umask 0007
# Includes are disabled for now. #$IncludeConfig /etc/rsyslog.d/*.conf ############### #### RULES #### ###############
# First some standard log files. Log by facility. # Log by service auth,authpriv.* /var/log/auth.log cron.* -/var/log/cron.log daemon.* -/var/log/daemon.log kern.*;kern.!=debug -/var/log/kern.log # Our IPTables rules uses the Debug level of kernel logging # for that purpose. :msg, contains, "IPTables: " -/var/log/iptables.log :msg, contains, "Hackers: " -/var/log/hackers.log :msg, contains, "IP6Tables: " -/var/log/ip6tables.log :msg, contains, "Hackers6: " -/var/log/hackers6.log ftp.* -/var/log/ftp.log lpr.* -/var/log/lpr.log news.* -/var/log/news.log uucp.* -/var/log/uucp.log syslog.* -/var/log/sys.log user.* -/var/log/user.log # While suhosin doesn't have a php5.4 edition, I've got it # here for if it ever gets updated again. It does have some # uses. local0.* -/var/log/suhosin.log # Most of the time, dovecot and dkim are not going to be your mail issues. # However, they will happily fill up your mail logs if you let them. local1.* -/var/log/opendkim.log local2.* -/var/log/dovecot.log # Rsyncd local4.* -/var/log/rsyncd.log # Clamav.log defaults to 6 local6.* -/var/log/clamav.log
# Log by severity *.err /var/log/error.log *.=warn;mail.none;local2.none -/var/log/warning.log
# Split up mail logs appropriately. mail.=notice;mail.=debug -/var/log/mail.notice mail.=info -/var/log/mail.info mail.warn -/var/log/mail.warn local2.warn -/var/log/dovecot.warn # Emergencies are sent to everybody logged in. *.emerg *
Logrotate
- /etc/logrotate.conf
- rotate 26
- uncomment compress, add delaycompress
- /etc/logrotate.d/
- for all entries:
- rotate 26, weekly, unless already longer/less common
- adjust special creation permissions (no world readable, etc)
- add delaycompress if needed
- MySQL:
- add /var/log/mysql/mysql-error.log
- Rsyslog
- Adjust files appropriately, add suhosin, opendkim, etc.
My general policy is to keep logs for half a year. Since most issues involve the past week and change, delaycompress is almost mandatory.