I'm trying to set up a number of log aggregators that then send logs off
to a different host for final storage. There are three types of host in
this situation:
* clients: log locally and also forward everything to the aggregator
* aggregators: log local messages in local files. encrypts all local
messages and all messages received via tcp/udp (except for one certain
program) and forwards them to the centralized server over tcp
* centralized server: hosted service that receives encrypted entries
over tcp.
The client configs mostly just work, but I need to figure out how to
forward the local messages on the aggregators to the centralized server
as well (without duplicating the entire ruleset). Right now they're only
logging locally. I was hoping that RSYSLOG_DefaultRuleset would help
there, but can't figure out the correct invocation. I also can't figure
out how to make the machines log with FQDN instead of unqualified host
(without changing /etc/hosts, which isn't really an option).
Suggestions welcome. I'd prefer to stay away from RainerScript if
possible, since it seems needlessly complex for this application, but if
that's the only way to go, a hand with translation would be great.
I've split out the files into two, the local config and the forwarder
config on the aggregators. The local config is pretty straightforward
and keeps the old syslog style format:
===
*.info;mail.none;authpriv.none;cron.none;local0.none;local5.none
/var/log/messages
authpriv.* /var/log/secure
mail.*
-/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.*
/var/log/boot.log
*.*
@@log-aggregator.mydomain.com
===
The aggregator config is:
===
# define the rules to forward logs to other servers
$RuleSet logforward
# PreserveFQDN doesn't appear to work
$PreserveFQDN on
# set up the queue to send things to central-server
$WorkDirectory /opt/rsyslog
$ActionResumeInterval 10
$ActionQueueSize 100000
$ActionQueueDiscardMark 97500
$ActionQueueHighWaterMark 80000
$ActionQueueType LinkedList
$ActionQueueFileName central-serverqueue
$ActionQueueCheckpointInterval 100
$ActionQueueMaxDiskSpace 10g
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ActionQueueTimeoutEnqueue 10
$ActionQueueDiscardSeverity 0
# send CEF logs to the opsec cef host
:programname, contains, "audit-cef" @security-log-host.my.domain
# drop the CEF log entries
:programname, contains, "audit-cef" ~
# Encrypt the rest of the outgoing logs with TLS over TCP
$DefaultNetstreamDriverCAFile /etc/central-server-bundle.pem # trust
these CAs
$ActionSendStreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS
$ActionSendStreamDriverAuthMode x509/name # authenticate by hostname
$ActionSendStreamDriverPermittedPeer *.central-server.com
# forward all remaining logs to central-server
*.* @@loghost.central-server.com
# set the ruleset back for subsequent rules
$RuleSet RSYSLOG_DefaultRuleset
# enable incoming UDP and TCP syslog
$ModLoad imudp.so
$InputUDPServerBindRuleset logforward
$InputTCPServerRun 514
===
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
