108.2 System

Tech Tutorial: 108.2 System Logging with rsyslog and systemd-journald #

Introduction #

In the Linux ecosystem, logging is a critical aspect of monitoring and managing systems, especially in a networked environment. This tutorial will delve into configuring rsyslog, handling logs with systemd-journald, and provide an overview of syslog and syslog-ng as alternative logging systems. Understanding how to configure a logging daemon to send log output to a central log server or to act as a central log server is essential for effective system administration.

Key Knowledge Areas #

  • Configuration of rsyslog
  • Use and operation of systemd-journald
  • Basic awareness of syslog and syslog-ng alternatives
  • Centralized and local logging

Utilities #

  • rsyslogd
  • journalctl
  • logger

Step-by-Step Guide #

1. Configuring rsyslog #

Basic Configuration #

rsyslog is a rocket-fast system for log processing; it can deliver over a million messages per second to local destinations. To configure rsyslog, you typically modify the /etc/rsyslog.conf file and files in the /etc/rsyslog.d/ directory.

Example: Basic rsyslog.conf setup

# Use default template
module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Template for storing logs
template(name="FileFormat" type="string" string="/var/log/%HOSTNAME%/%PROGRAMNAME%.log")

# Log messages to specific files based on the program
if $programname == 'apache' then {
    action(type="omfile" dynaFile="FileFormat")
    stop
}

Sending Logs to a Central Server #

To configure rsyslog to send logs to a remote server, you can use the *.* @@remote-host:514 syntax where *.* represents all facilities and priorities.

Example: Forwarding all logs to a central log server

*.* @@192.168.1.100:514

2. Configuring systemd-journald #

systemd-journald is a service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that it receives.

Viewing Logs with journalctl #

journalctl is the tool used to query and display the logs from systemd-journald.

Example: Display all logs

journalctl

Example: Show logs from a specific service

journalctl -u nginx.service

Example: Show logs since the last boot

journalctl -b

Example: Filtering logs by priority

journalctl -p err -b

Forwarding journald logs to rsyslog #

To forward logs from journald to rsyslog, you can modify the /etc/systemd/journald.conf file by setting the ForwardToSyslog=yes.

Example: journald.conf modification

[Journal]
Storage=persistent
ForwardToSyslog=yes

3. Awareness of syslog and syslog-ng #

While rsyslog is commonly used, syslog and syslog-ng are also popular logging systems. syslog-ng offers advanced filtering, classification, and rewriting capabilities.

Example: Basic syslog-ng configuration to forward logs

source s_local {
    system();
    internal();
};

destination d_remote {
    tcp("192.168.1.100" port(514));
};

log {
    source(s_local);
    destination(d_remote);
};

Conclusion #

Understanding and configuring system logging are crucial for maintaining the health and security of a server environment. In this tutorial, we covered configuring rsyslog for local and remote logging, handling logs with systemd-journald, and introduced syslog and syslog-ng as alternative systems. Effective logging setup helps in troubleshooting and ensuring that critical events are not missed in a networked environment.