Skip to content

Instantly share code, notes, and snippets.

@gilangvperdana
Last active Oct 5, 2022
Embed
What would you like to do?
RSyslog for Monitor LOGS

RSyslog for Monitor LOGS

Goals

  • Use rsyslog to export log

Env

  • 172.16.1.2 is Server Collector
  • 172.16.1.3 is Client LOG

Prerequisites

  • Validates rsyslog available?
apt-cache policy rsyslog
sudo apt install rsyslog

Execute

Executed on 172.16.1.3

  • Install Loki
cd /usr/local/bin
curl -s https://api.github.com/repos/grafana/loki/releases/latest | grep browser_download_url |  cut -d '"' -f 4 | grep loki-linux-amd64.zip | wget -i -

sudo apt install unzip
sudo unzip loki-linux-amd64.zip
mv loki-linux-amd64 loki
sudo chmod a+x loki
  • Config Loki
sudo nano config-loki.yml
auth_enabled: false

server:
  http_listen_port: 3100

ingester:
  lifecycler:
    address: 127.0.0.1
    ring:
      kvstore:
        store: inmemory
      replication_factor: 1
    final_sleep: 0s
  chunk_idle_period: 5m
  chunk_retain_period: 30s
  max_transfer_retries: 0

schema_config:
  configs:
    - from: 2022-07-24
      store: boltdb
      object_store: filesystem
      schema: v11
      index:
        prefix: index_
        period: 24h

storage_config:
  boltdb:
    directory: /tmp/loki/index

  filesystem:
    directory: /tmp/loki/chunks

limits_config:
  enforce_metric_name: false
  reject_old_samples: true
  reject_old_samples_max_age: 168h

chunk_store_config:
  max_look_back_period: 0s

table_manager:
  retention_deletes_enabled: false
  retention_period: 0s
  • Make loki to systemd
sudo nano /etc/systemd/system/loki.service
[Unit]
Description=Loki service
After=network.target

[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/loki -config.file /usr/local/bin/config-loki.yml

[Install]
WantedBy=multi-user.target
systemctl enable loki
sudo service loki start
sudo service loki status
  • Install Promtail
PROMTAIL_VERSION=$(curl -s "https://api.github.com/repos/grafana/loki/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')
sudo mkdir /opt/promtail
sudo wget -qO /opt/promtail/promtail.gz "https://github.com/grafana/loki/releases/download/v${PROMTAIL_VERSION}/promtail-linux-amd64.zip"
sudo gunzip /opt/promtail/promtail.gz
sudo chmod a+x /opt/promtail/promtail
sudo ln -s /opt/promtail/promtail /usr/local/bin/promtail
sudo wget -qO /opt/promtail/promtail-local-config.yaml "https://raw.githubusercontent.com/grafana/loki/v${PROMTAIL_VERSION}/clients/cmd/promtail/promtail-local-config.yaml"

promtail -version
sudo nano /etc/systemd/system/promtail.service
[Unit]
Description=Promtail client for sending logs to Loki
After=network.target

[Service]
ExecStart=/opt/promtail/promtail -config.file=/opt/promtail/promtail-local-config.yaml
Restart=always
TimeoutStopSec=3

[Install]
WantedBy=multi-user.target
sudo service promtail start
sudo service promtail status
sudo systemctl enable promtail
  • Config Rsyslog
nano /etc/rsyslog.conf
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Spesific Network Can Connect
$AllowedSender TCP, 0.0.0.0
sudo systemctl restart rsyslog 
sudo systemctl status rsyslog 

Executed on 172.16.1.2

nano /etc/rsyslog.d/50-promtail.conf
module(load="omprog")
module(load="mmutf8fix")
action(type="mmutf8fix" replacementChar="?")
action(type="omfwd" protocol="tcp" target="172.16.1.3" port="1514" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted" KeepAlive="on")
sudo systemctl restart rsyslog 
sudo systemctl status rsyslog 

Executed on 172.16.1.3

  • Config promtail
nano /opt/promtail/promtail-local-config.yaml

---
server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://127.0.0.1:3100/loki/api/v1/push

scrape_configs:
  - job_name: journal
    journal:
      max_age: 12h
      labels:
        job: systemd-journal
    relabel_configs:
      - source_labels: ['__journal__systemd_unit']
        target_label: 'unit'

  - job_name: syslogRsys
    syslog:
      listen_address: 0.0.0.0:1514
      label_structured_data: yes
      labels:
        job: "syslogRsys"
    relabel_configs:
      - source_labels: ["__syslog_connection_ip_address"]
        target_label: "ip_address"
      - source_labels: ["__syslog_message_severity"]
        target_label: "severity"
      - source_labels: ["__syslog_message_facility"]
        target_label: "facility"
      - source_labels: ["__syslog_message_hostname"]
        target_label: "host"
sudo systemctl enable promtail
sudo service promtail restart
sudo service promtail status

sudo systemctl enable rsyslog
sudo systemctl restart rsyslog 
sudo systemctl status rsyslog 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment