CodyKochmann/rsyslog.service

## rsyslog.service
[Unit]
# by: Cody Kochmann
# describe the service so journald logs make sense
Description=System Logging Service
# mandate that systemd ensures syslog socket is created first
Requires=syslog.socket systemd-journald.service
# note that there is a local manual
Documentation=man:rsyslogd(8)
# link to official docs online
Documentation=https://www.rsyslog.com/doc/

[Service]
# start on socket
Type=notify
# low priv user
User=syslog
# command that actually runs the server
ExecStart=/usr/sbin/rsyslogd -n -iNONE
# dont really need stdout for something reading stdout of all services
StandardOutput=null
# configure auto restart only for failures
Restart=on-failure
# set realistic open file limits
LimitNOFILE=256
# remove all caps
CapabilityBoundingSet=
# add caps actually needed
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYSLOG
# add extra cap for serving on low port
AmbientCapabilities=CAP_NET_BIND_SERVICE
# lock in these privs
NoNewPrivileges=yes
# give it it's own tmp dir
PrivateTmp=yes
# no need to access home
ProtectHome=yes
# no need to mod up kernel modules
ProtectKernelModules=yes
# no need for it to tweak kernel settings
ProtectKernelTunables=yes
# general system lockout
ProtectSystem=strict
# explicitly give it write access to /var/log since.... its a log server
ReadWritePaths=/var/log

[Install]
# configure for general install
WantedBy=multi-user.target
# make an alias so both rsyslog and syslog point to this
Alias=syslog.service
	[Unit]
	# by: Cody Kochmann
	# describe the service so journald logs make sense
	Description=System Logging Service
	# mandate that systemd ensures syslog socket is created first
	Requires=syslog.socket systemd-journald.service
	# note that there is a local manual
	Documentation=man:rsyslogd(8)
	# link to official docs online
	Documentation=https://www.rsyslog.com/doc/

	[Service]
	# start on socket
	Type=notify
	# low priv user
	User=syslog
	# command that actually runs the server
	ExecStart=/usr/sbin/rsyslogd -n -iNONE
	# dont really need stdout for something reading stdout of all services
	StandardOutput=null
	# configure auto restart only for failures
	Restart=on-failure
	# set realistic open file limits
	LimitNOFILE=256
	# remove all caps
	CapabilityBoundingSet=
	# add caps actually needed
	CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYSLOG
	# add extra cap for serving on low port
	AmbientCapabilities=CAP_NET_BIND_SERVICE
	# lock in these privs
	NoNewPrivileges=yes
	# give it it's own tmp dir
	PrivateTmp=yes
	# no need to access home
	ProtectHome=yes
	# no need to mod up kernel modules
	ProtectKernelModules=yes
	# no need for it to tweak kernel settings
	ProtectKernelTunables=yes
	# general system lockout
	ProtectSystem=strict
	# explicitly give it write access to /var/log since.... its a log server
	ReadWritePaths=/var/log

	[Install]
	# configure for general install
	WantedBy=multi-user.target
	# make an alias so both rsyslog and syslog point to this
	Alias=syslog.service