Tech Tutorial: 108.2 System Logging with rsyslog and systemd-journald #
Introduction #
In the Linux ecosystem, logging is a critical aspect of monitoring and managing systems, especially in a networked environment. This tutorial will delve into configuring rsyslog
, handling logs with systemd-journald
, and provide an overview of syslog
and syslog-ng
as alternative logging systems. Understanding how to configure a logging daemon to send log output to a central log server or to act as a central log server is essential for effective system administration.
Key Knowledge Areas #
- Configuration of rsyslog
- Use and operation of systemd-journald
- Basic awareness of syslog and syslog-ng alternatives
- Centralized and local logging
Utilities #
- rsyslogd
- journalctl
- logger
Step-by-Step Guide #
1. Configuring rsyslog #
Basic Configuration #
rsyslog
is a rocket-fast system for log processing; it can deliver over a million messages per second to local destinations. To configure rsyslog
, you typically modify the /etc/rsyslog.conf
file and files in the /etc/rsyslog.d/
directory.
Example: Basic rsyslog.conf
setup
# Use default template
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
# Template for storing logs
template(name="FileFormat" type="string" string="/var/log/%HOSTNAME%/%PROGRAMNAME%.log")
# Log messages to specific files based on the program
if $programname == 'apache' then {
action(type="omfile" dynaFile="FileFormat")
stop
}
Sending Logs to a Central Server #
To configure rsyslog
to send logs to a remote server, you can use the *.* @@remote-host:514
syntax where *.*
represents all facilities and priorities.
Example: Forwarding all logs to a central log server
*.* @@192.168.1.100:514
2. Configuring systemd-journald #
systemd-journald
is a service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that it receives.
Viewing Logs with journalctl #
journalctl
is the tool used to query and display the logs from systemd-journald
.
Example: Display all logs
journalctl
Example: Show logs from a specific service
journalctl -u nginx.service
Example: Show logs since the last boot
journalctl -b
Example: Filtering logs by priority
journalctl -p err -b
Forwarding journald logs to rsyslog #
To forward logs from journald
to rsyslog
, you can modify the /etc/systemd/journald.conf
file by setting the ForwardToSyslog=yes
.
Example: journald.conf modification
[Journal]
Storage=persistent
ForwardToSyslog=yes
3. Awareness of syslog and syslog-ng #
While rsyslog
is commonly used, syslog
and syslog-ng
are also popular logging systems. syslog-ng
offers advanced filtering, classification, and rewriting capabilities.
Example: Basic syslog-ng
configuration to forward logs
source s_local {
system();
internal();
};
destination d_remote {
tcp("192.168.1.100" port(514));
};
log {
source(s_local);
destination(d_remote);
};
Conclusion #
Understanding and configuring system logging are crucial for maintaining the health and security of a server environment. In this tutorial, we covered configuring rsyslog
for local and remote logging, handling logs with systemd-journald
, and introduced syslog
and syslog-ng
as alternative systems. Effective logging setup helps in troubleshooting and ensuring that critical events are not missed in a networked environment.