Uživatel:Bodik/syslog-elixir

Z MetaCentrum
Skočit na navigaci Skočit na vyhledávání

syslog-elixir.metacentrum.cz logging server provides rsyslog server service available to receive log records over TCP, UDP and RELP. All logging nodes must be registered by their respective IPv4 or IPv6 address.

Registration

Registration must be done prior receiving logs from nodes. To register send email to mailto:ruda@ics.muni.cz 

Subject: syslog-elixir logging node registration <FQDN_LOGGING_NODE>

Node name: <FQDN_LOGGING_NODE>
IPv4:
IPv6:
logged application:
administrator contact:

Service description

The service should not receive all syslog from the registred nodes, but rather a subset of application or security data related to the given node:

  • sending auth facility to aid security investigations
  • computing application data with given facility (eg. localX)
  • computing application data with defined program name (svc123)

Logs are stored both in perhour (/var/log/hosts/Y/M/D/svc-YMD.H) and perhost (/var/log/hosts/perhost/Y/M/D/host/svc) storage. Authorization is based primarily on IP list managed with local puppet/iptables module.

rsyslog

TCP sender legacy config

$ActionQueueType LinkedList             # use asynchronous processing
$ActionQueueFileName omfwd1             # set file name, also enables disk mode
$ActionResumeRetryCount -1              # infinite retries on insert failure
$ActionQueueSaveOnShutdown on           # save in-memory data if rsyslog shuts down
$ActionQueueMaxDiskSpace 100m           # limit disk cache
$ActionQueueTimeoutEnqueue 100          # dont block worker indefinitely when cache fills up
auth.*,authpriv.* @@syslog-elixir.metacentrum.cz:514

$ActionQueueType LinkedList             # use asynchronous processing
$ActionQueueFileName omfwd2             # set file name, also enables disk mode
$ActionResumeRetryCount -1              # infinite retries on insert failure
$ActionQueueSaveOnShutdown on           # save in-memory data if rsyslog shuts down
$ActionQueueMaxDiskSpace 100m           # limit disk cache
$ActionQueueTimeoutEnqueue 100          # dont block worker indefinitely when cache fills up
local5.* @@syslog-elixir.metacentrum.cz:514

$ActionQueueType LinkedList             # use asynchronous processing
$ActionQueueFileName omfwd3             # set file name, also enables disk mode
$ActionResumeRetryCount -1              # infinite retries on insert failure
$ActionQueueSaveOnShutdown on           # save in-memory data if rsyslog shuts down
$ActionQueueMaxDiskSpace 100m           # limit disk cache
$ActionQueueTimeoutEnqueue 100          # dont block worker indefinitely when cache fills up
:programname, contains, "svc123" @@syslog-elixir.metacentrum.cz:514

TCP sender v7+ config

auth.*,authpriv.* action(type="omfwd"
       protocol="tcp"                          # forwarding protocol
       target="syslog-elixir.metacentrum.cz"   # rsyslog server host
       port="514"                              # rsyslog server port
       queue.FileName="omfwd1"                 # set file name, also enables disk mode
       queue.Type="LinkedList"                 # use asynchronous processing
       queue.MaxDiskSpace="100m"               # limit disk cache
       queue.SaveOnShutdown="on"               # save in-memory data if rsyslog shuts down
       queue.TimeoutEnqueue="100"              # dont block worker indefinitely when cache fills up
       action.ResumeRetryCount="-1"            # infinite retries on insert failure
)

local5.* action(type="omfwd"
       protocol="tcp"                          # forwarding protocol
       target="syslog-elixir.metacentrum.cz"   # rsyslog server host
       port="514"                              # rsyslog server port
       queue.FileName="omfwd2"                 # set file name, also enables disk mode
       queue.Type="LinkedList"                 # use asynchronous processing
       queue.MaxDiskSpace="100m"               # limit disk cache
       queue.SaveOnShutdown="on"               # save in-memory data if rsyslog shuts down
       queue.TimeoutEnqueue="100"              # dont block worker indefinitely when cache fills up
       action.ResumeRetryCount="-1"            # infinite retries on insert failure
)

:programname, contains, "svc123" action(type="omfwd"
       protocol="tcp"                          # forwarding protocol
       target="syslog-elixir.metacentrum.cz"   # rsyslog server host
       port="514"                              # rsyslog server port
       queue.FileName="omfwd3"                 # set file name, also enables disk mode
       queue.Type="LinkedList"                 # use asynchronous processing
       queue.MaxDiskSpace="100m"               # limit disk cache
       queue.SaveOnShutdown="on"               # save in-memory data if rsyslog shuts down
       queue.TimeoutEnqueue="100"              # dont block worker indefinitely when cache fills up
       action.ResumeRetryCount="-1"            # infinite retries on insert failure
)

UDP sender legacy config

auth.*,authpriv.* @syslog-elixir.metacentrum.cz:514
local5.* @syslog-elixir.metacentrum.cz:514
:programname, contains, "svc123" @syslog-elixir.metacentrum.cz:514


UDP sender v7+ config

auth.*,authpriv.* action(type="omfwd"
        protocol="udp"                          # forwarding protocol
        target="syslog-elixir.metacentrum.cz"   # rsyslog server host
        port="514"                              # rsyslog server port
)

local5.* action(type="omfwd"
        protocol="udp"                          # forwarding protocol
        target="syslog-elixir.metacentrum.cz"   # rsyslog server host
        port="514"                              # rsyslog server port
)

:programname, contains, "svc123" action(type="omfwd"
        protocol="udp"                          # forwarding protocol
        target="syslog-elixir.metacentrum.cz"   # rsyslog server host
        port="514"                              # rsyslog server port
)


syslog-ng

TCP sender config

# ensure source s_src exists, defaults to config below but might vary depending on system custom config
# source s_src { system(); internal(); };
destination d_net { tcp("syslog-elixir.metacentrum.cz" port(514) log_fifo_size(1000)); };
filter f_local5 { facility(local5) and not filter(f_debug); };
filter f_svc123 { program("svc123"); };
log { source(s_src); filter(f_auth); destination(d_net); };
log { source(s_src); filter(f_local5); destination(d_net); };
log { source(s_src); filter(f_svc123); destination(d_net); };

UDP sender config

# ensure source s_src exists, defaults to config below but might vary depending on system custom config
# source s_src { system(); internal(); };
destination d_net { udp("syslog-elixir.metacentrum.cz" port(514)); };
filter f_local5 { facility(local5) and not filter(f_debug); };
filter f_svc123 { program("svc123"); };
log { source(s_src); filter(f_auth); destination(d_net); };
log { source(s_src); filter(f_local5); destination(d_net); };
log { source(s_src); filter(f_svc123); destination(d_net); };


Rsyslog Windows Agent

  • the recommended client for MS Windows platform is Rsyslog Windows Agent [1]
  • Configure forwarding in RuleSets > Default RuleSet > Forward Syslog > Actions > Rsyslog set:
    • tab Syslog Message Options
      • Protocol type: TCP (persistent connection)
      • Syslog server: elixir-syslog.metacentrum.cz
    • tab TCP Related Options
      • check "Use Diskqueue if connection to Syslog Server fails"
Syslog Message Options
TCP Related Options
Citováno z „https://wiki.metacentrum.cz/w/index.php?title=Uživatel:Bodik/syslog-elixir&oldid=5932