Differences

This shows you the differences between two versions of the page.

--- aix:aix_rsyslog [2021/02/06 16:10]
manu
+++ aix:aix_rsyslog [2022/11/21 17:31] (current)
manu [debugging :]
@@ Line 120: / Line 120: @@
 </code>
 Copytruncate is also an option instead reloading rsyslog, but you could lose some entries
+Example in Linux
+<cli prompt='#'>
+manu-opensuse:/etc/logrotate.d # cat syslog
+/var/log/warn /var/log/messages /var/log/allmessages /var/log/localmessages
+/var/log/firewall /var/log/acpid /var/log/NetworkManager
+/var/log/mail /var/log/mail.info /var/log/mail.warn /var/log/mail.err
+/var/log/news/news.crit /var/log/news/news.err /var/log/news/news.notice
+{
+    compress
+    dateext
+    maxage 365
+    rotate 99
+    missingok
+    notifempty
+    size +4096k
+    create 640 root root
+    sharedscripts
+    postrotate
+        /usr/bin/systemctl reload syslog.service > /dev/null
+    endscript
+}
+</cli>
 ===== Advanced setup =====
+Debug output sent to central server:
+<cli prompt='#'>
+[root@aix001]/etc#  tcpdump  -i en0  host 10.10.10.10 -v
+        Msg: May 18 16:15:56 aix001 "AIX_AUDIT" 18 May 2022 16:15:46.652129  FS_Chdir        rsyslogd                        root     root     OK          34931838 4260108
+:15:56.664128 IP (tos 0x0, ttl 30, id 54514, offset 0, flags [none], proto UDP (17), length 117)
+    aix001.38075 > syslogsrv01.syslog: SYSLOG, length: 89
+        Facility local7 (23), Severity debug (7)
+...
+</cli>
 To revert back to **old date format**, add this option in /etc/rsyslog.conf
@@ Line 200: / Line 234: @@
 # Send messages we receive to another syslog server using TCP port 514
 *.* @@W.X.Y.Z:514
+# Send messages we receive to another syslog server using UDP port 514
+*.notice @10.10.10.10
+auth,authpriv.info @10.20.20.20:1234
 ################
@@ Line 253: / Line 291: @@
 http://gileb-aix.blogspot.fr/2013/03/rsyslogd-on-aix.html
+Redirect output of specific file
+<code>
+#/etc/rsyslog.conf
+$ModLoad imfile
+$InputFileName /data/mysql/error.log
+$InputFileTag mysql-error
+$InputFileStateFile stat-mysql-error
+$InputFileSeverity error
+$InputFileFacility local3
+$InputRunFileMonitor
+local3.* @@hostname:<portnumber>
+# Set the default permissions for all log files.
+#
+#$FileOwner syslog
+#$FileGroup adm
+#$FileCreateMode 0640
+#$DirCreateMode 0755
+#$Umask 0022
+#$PrivDropToUser syslog
+#$PrivDropToGroup syslog
+</code>
 ===== centralize login =====
@@ Line 262: / Line 323: @@
 Now you are able to collect to syslog all login informations:
   *.debug /var/log/auth.log
+===== Custom message format =====
+Template names beginning with "RSYSLOG_" are reserved for rsyslog use. Do NOT use them if, otherwise you may receive a conflict in the future (and quite unpredictable behaviour). There is a small set of pre-defined templates that you can use without the need to define it:
+  * RSYSLOG_TraditionalFileFormat - the "old style" default log file format with low-precision timestamps
+  * RSYSLOG_FileFormat - a modern-style logfile format similar to TraditionalFileFormat, buth with high-precision timestamps and timezone information
+  * RSYSLOG_TraditionalForwardFormat - the traditional forwarding format with low-precision timestamps. Most useful if you send messages to other syslogd's or rsyslogd below version 3.12.5.
+  * RSYSLOG_ForwardFormat - a new high-precision forwarding format very similar to the traditional one, but with high-precision timestamps and timezone information. Recommended to be used when sending messages to rsyslog 3.12.5 or above.
+  * RSYSLOG_SyslogProtocol23Format - the format specified in IETF's internet-draft ietf-syslog-protocol-23, which is assumed to be come the new syslog standard RFC. This format includes several improvements. The rsyslog message parser understands this format, so you can use it together with all relatively recent versions of rsyslog. Other syslogd's may get hopelessly confused if receiving that format, so check before you use it. Note that the format is unlikely to change when the final RFC comes out, but this may happen.
+  * RSYSLOG_DebugFormat - a special format used for troubleshooting property problems. This format is meant to be written to a log file. Do not use for production or remote forwarding.
+String-based Template Samples
+This section provides some sample of what the default formats would look as a text-based template. Hopefully, their description is self-explanatory. Note that each $Template statement is on a single line, but probably broken accross several lines for display purposes by your browsers. Lines are separated by empty lines.
+<cli>
+A template that resembles traditional syslogd file output:
+    $template TraditionalFormat,”%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n”
+A template that tells you a little more about the message:
+    $template precise,”%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%, %syslogtag%,%msg%\n”
+A template for RFC 3164 format:
+    $template RFC3164fmt,”<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%”
+A template for the format traditionally used for user messages:
+    $template usermsg,” XXXX%syslogtag%%msg%\n\r”
+And a template with the traditional wall-message format:
+    $template wallmsg,”\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%
+A template that can be used for the database write (please note the SQL template option)
+    $template MySQLInsert,”insert iut, message, received at values (‘%iut%’, ‘%msg:::UPPERCASE%’, ‘%timegenerated:::date-mysql%’) into systemevents\r\n”, SQL
+The following template emulates WinSyslog format:
+    $template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,
+%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,
+%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,
+%syslogtag%%msg%\\n"
+$template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
+$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
+$template TraditionalForwardFormat,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
+$template StdSQLFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
+</cli>
+To assign a msg to a format:
+  kern.crit @server.example.net;RFC3164fmt
+===== Example =====
+<cli prompt='>'>
+[root@aixclt01]/var/log/syslog> cat /etc/rsyslog.conf
+################ Order of the lines is important #################
+# Load the unix socket for local communication                   #
+  $ModLoad imuxsock                                              #
+# Load the UDP module for remote communication                   #
+  $ModLoad imudp                                                 #
+# Run the UDP server on the default port 514                     #
+  $UDPServerRun 514                                              #
+# Load module to read file
+  $ModLoad imfile                                                                #
+#################################################################
+$WorkDirectory /var/log/syslog/
+################
+# Local Logging1
+aso.notice /var/log/aso/aso.log
+aso.info /var/log/aso/aso_process.log
+aso.debug /var/log/aso/aso_debug.log
+caa.debug /var/adm/ras/syslog.caa
+*.emerg /var/log/syslog/emerg.log
+*.alert /var/log/syslog/alert.log
+*.crit /var/log/syslog/crit.log
+*.err /var/log/syslog/error.log
+*.warning /var/log/syslog/warning.log
+*.notice /var/log/syslog/notice.log
+*.info /var/log/syslog/info.log
+auth,authpriv.debug /var/log/syslog/auth.log
+daemon.* /dev/null
+lpr.* /dev/null
+################
+# Remote Logging
+# Read a specific file
+$InputFileName /audit/stream.out
+$InputFileTag "AUDIT_AIX"
+$InputFileStateFile audit-log
+$InputFileSeverity debug
+$InputFileFacility local7
+$InputRunFileMonitor
+local7.debug,*.warning,daemon.info,auth,authpriv.debug,*.emerg @10.10.10.10:514
+#PollingInterval 10
+################
+# Local Logging2
+# Exclude tags from local saving
+:syslogtag, contains, "AUDIT_AIX" ~
+*.debug /var/log/syslog/debug.log
+</cli>
+===== Misc examples =====
+The fourth line tells rsyslogd to save all kernel messages that come with priorities from info up to warning in the file /var/adm/kernel-info. Everything from err and higher is excluded.
+  # The tcp wrapper loggs with mail.info, we display all the connections on tty12
+  mail.=info /dev/tty12
+This directs all messages that uses mail.info (in source LOG_MAIL | LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper tcpd(8) uses this as it’s default.
+  # Store all mail concerning stuff in a file
+  mail.\*;mail.!=info /var/adm/mail
+This will store all messages with the priority crit in the file /var/adm/critical, except for any kernel message.
+  # A template for RFC 3164 format:
+  $template RFC3164fmt,”<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%”
+  # Kernel messages are first, stored in the kernel
+  # file, critical messages and higher ones also go
+  # to another host and to the console. Messages to
+  # the host server.example.net are forwarded in RFC 3164
+  # format (using the template defined above).
+  kern.* /var/adm/kernel
+  kern.crit @server.example.net;RFC3164fmt
+  kern.crit /dev/console
+  kern.info;kern.!err /var/adm/kernel-info

wiki

User Tools

Site Tools

Differences

Page Tools