aix:aix_rsyslog
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
aix:aix_rsyslog [2022/05/18 16:13] manu |
aix:aix_rsyslog [2025/10/08 11:01] (current) manu [Basic setup on AIX] |
||
|---|---|---|---|
| Line 95: | Line 95: | ||
| To switch back to standard AIX syslog: | To switch back to standard AIX syslog: | ||
| - | syslog_ssw -r | + | syslog_ssw -s |
| ''Notice''\\ | ''Notice''\\ | ||
| Line 145: | Line 145: | ||
| ===== Advanced setup ===== | ===== Advanced setup ===== | ||
| + | |||
| + | Debug output sent to central server: | ||
| + | <cli prompt='#'> | ||
| + | [root@aix001]/etc# tcpdump -i en0 host 10.10.10.10 -v | ||
| + | |||
| + | Msg: May 18 16:15:56 aix001 "AIX_AUDIT" 18 May 2022 16:15:46.652129 FS_Chdir rsyslogd root root OK 34931838 4260108 | ||
| + | 16:15:56.664128 IP (tos 0x0, ttl 30, id 54514, offset 0, flags [none], proto UDP (17), length 117) | ||
| + | aix001.38075 > syslogsrv01.syslog: SYSLOG, length: 89 | ||
| + | Facility local7 (23), Severity debug (7) | ||
| + | ... | ||
| + | </cli> | ||
| To revert back to **old date format**, add this option in /etc/rsyslog.conf | To revert back to **old date format**, add this option in /etc/rsyslog.conf | ||
| Line 302: | Line 313: | ||
| #$PrivDropToUser syslog | #$PrivDropToUser syslog | ||
| #$PrivDropToGroup syslog | #$PrivDropToGroup syslog | ||
| - | <code> | + | </code> |
| ===== centralize login ===== | ===== centralize login ===== | ||
| Line 327: | Line 338: | ||
| <cli> | <cli> | ||
| - | $template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" | + | A template that resembles traditional syslogd file output: |
| + | $template TraditionalFormat,”%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n” | ||
| + | |||
| + | A template that tells you a little more about the message: | ||
| + | $template precise,”%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%, %syslogtag%,%msg%\n” | ||
| - | $template TraditionalFileFormat,"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" | + | A template for RFC 3164 format: |
| + | $template RFC3164fmt,”<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%” | ||
| + | |||
| + | A template for the format traditionally used for user messages: | ||
| + | $template usermsg,” XXXX%syslogtag%%msg%\n\r” | ||
| + | |||
| + | And a template with the traditional wall-message format: | ||
| + | $template wallmsg,”\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% | ||
| + | |||
| + | A template that can be used for the database write (please note the SQL template option) | ||
| + | $template MySQLInsert,”insert iut, message, received at values (‘%iut%’, ‘%msg:::UPPERCASE%’, ‘%timegenerated:::date-mysql%’) into systemevents\r\n”, SQL | ||
| + | |||
| + | The following template emulates WinSyslog format: | ||
| + | $template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%, | ||
| + | %timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%, | ||
| + | %timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%, | ||
| + | %syslogtag%%msg%\\n" | ||
| + | |||
| + | $template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" | ||
| $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%" | $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%" | ||
| Line 337: | Line 370: | ||
| $template StdSQLFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL | $template StdSQLFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL | ||
| </cli> | </cli> | ||
| + | |||
| + | To assign a msg to a format: | ||
| + | kern.crit @server.example.net;RFC3164fmt | ||
| + | ===== Example ===== | ||
| + | |||
| + | <cli prompt='>'> | ||
| + | [root@aixclt01]/var/log/syslog> cat /etc/rsyslog.conf | ||
| + | ################ Order of the lines is important ################# | ||
| + | # Load the unix socket for local communication # | ||
| + | $ModLoad imuxsock # | ||
| + | # Load the UDP module for remote communication # | ||
| + | $ModLoad imudp # | ||
| + | # Run the UDP server on the default port 514 # | ||
| + | $UDPServerRun 514 # | ||
| + | # Load module to read file | ||
| + | $ModLoad imfile # | ||
| + | ################################################################# | ||
| + | |||
| + | $WorkDirectory /var/log/syslog/ | ||
| + | |||
| + | ################ | ||
| + | # Local Logging1 | ||
| + | aso.notice /var/log/aso/aso.log | ||
| + | aso.info /var/log/aso/aso_process.log | ||
| + | aso.debug /var/log/aso/aso_debug.log | ||
| + | caa.debug /var/adm/ras/syslog.caa | ||
| + | *.emerg /var/log/syslog/emerg.log | ||
| + | *.alert /var/log/syslog/alert.log | ||
| + | *.crit /var/log/syslog/crit.log | ||
| + | *.err /var/log/syslog/error.log | ||
| + | *.warning /var/log/syslog/warning.log | ||
| + | *.notice /var/log/syslog/notice.log | ||
| + | *.info /var/log/syslog/info.log | ||
| + | auth,authpriv.debug /var/log/syslog/auth.log | ||
| + | daemon.* /dev/null | ||
| + | lpr.* /dev/null | ||
| + | |||
| + | ################ | ||
| + | # Remote Logging | ||
| + | |||
| + | # Read a specific file | ||
| + | $InputFileName /audit/stream.out | ||
| + | $InputFileTag "AUDIT_AIX" | ||
| + | $InputFileStateFile audit-log | ||
| + | $InputFileSeverity debug | ||
| + | $InputFileFacility local7 | ||
| + | $InputRunFileMonitor | ||
| + | |||
| + | local7.debug,*.warning,daemon.info,auth,authpriv.debug,*.emerg @10.10.10.10:514 | ||
| + | |||
| + | #PollingInterval 10 | ||
| + | |||
| + | ################ | ||
| + | # Local Logging2 | ||
| + | # Exclude tags from local saving | ||
| + | :syslogtag, contains, "AUDIT_AIX" ~ | ||
| + | *.debug /var/log/syslog/debug.log | ||
| + | </cli> | ||
| + | |||
| + | ===== Misc examples ===== | ||
| + | |||
| + | The fourth line tells rsyslogd to save all kernel messages that come with priorities from info up to warning in the file /var/adm/kernel-info. Everything from err and higher is excluded. | ||
| + | |||
| + | # The tcp wrapper loggs with mail.info, we display all the connections on tty12 | ||
| + | mail.=info /dev/tty12 | ||
| + | |||
| + | This directs all messages that uses mail.info (in source LOG_MAIL | LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper tcpd(8) uses this as it’s default. | ||
| + | |||
| + | # Store all mail concerning stuff in a file | ||
| + | mail.\*;mail.!=info /var/adm/mail | ||
| + | |||
| + | This will store all messages with the priority crit in the file /var/adm/critical, except for any kernel message. | ||
| + | # A template for RFC 3164 format: | ||
| + | $template RFC3164fmt,”<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%” | ||
| + | # Kernel messages are first, stored in the kernel | ||
| + | # file, critical messages and higher ones also go | ||
| + | # to another host and to the console. Messages to | ||
| + | # the host server.example.net are forwarded in RFC 3164 | ||
| + | # format (using the template defined above). | ||
| + | kern.* /var/adm/kernel | ||
| + | kern.crit @server.example.net;RFC3164fmt | ||
| + | kern.crit /dev/console | ||
| + | kern.info;kern.!err /var/adm/kernel-info | ||
| + | |||
| + | |||
aix/aix_rsyslog.1652883201.txt.gz · Last modified: 2022/05/18 16:13 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
