Created
April 29, 2009 21:17
-
-
Save jpf/104057 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#rsyslog SERVER | |
# Activate kernel logging | |
$ModLoad imklog | |
# Activate TCP logging | |
$ModLoad imtcp | |
# Activate UDP logging | |
$ModLoad imudp | |
# Activate unix socket logging (used by syslog(3) system calls) | |
$ModLoad imuxsock | |
# Activate the 'ommail' module, used to forward messages via SMTP | |
$ModLoad ommail | |
# Configuration for ommail | |
$ActionMailSMTPServer localhost | |
$ActionMailFrom hidden@hidden.dom | |
$ActionMailTo hidden@hidden.dom | |
$template mailSubject,"rsyslog message from %programname% on %hostname%" | |
$template mailBody,"Message: '%msg%'" | |
$ActionMailSubject mailSubject | |
# Limits the number of emails that we will send. | |
# Only one message will be sent per interval, all other messages will be dropped. | |
$ActionExecOnlyOnceEveryInterval 60 # 1 minute | |
# Disable UDP since we don't seem to need it. Also disabled to avoid a syslog DDOS as UDP packets can be easily forged. | |
# $UDPServerRun 514 | |
$InputTCPServerRun 514 | |
# NOTE: "Rsyslogd handles allowed sender detection very early in the code, | |
# nearly as the first action after receiving a message. | |
# This keeps the access to potential vulnerable code in rsyslog at a minimum. | |
# However, it is still a good idea to impose allowed sender limitations via firewalling." | |
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/8 | |
# Seperate logs into directories and files by year, month, day, and remote ip (not hostname as that might be unique across hosts). | |
# Year, month, day and hostname are preserved in file names to simpliy backup and offsite reading. | |
# For example: /var/log/rsyslog/2009/03/02/10.10.10.1/2009-03-02-monkey.log | |
$template DailyPerHostLogs,"/mnt/storage/log/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%$YEAR%-%$MONTH%-%$DAY%_%fromhost-ip%-%HOSTNAME%.log" | |
$template DailyAuthLogs,"/mnt/storage/log/rsyslog/auth/%$YEAR%/%$MONTH%/%$YEAR%-%$MONTH%-%$DAY%-auth.log" | |
*.* -?DailyPerHostLogs | |
auth,authpriv.* ?DailyAuthLogs | |
# 'local0.emerg' is what we use for syslog messages that we want to end up in email. | |
local0.emerg :ommail:;mailBody | |
:rawmsg, regex, "snmpd.*Connection from UDP" ~ | |
# Directory for spool and other work files | |
$WorkDirectory /tmp | |
## | |
# Send all log messages to the developer syslog server using a memory/disk buffer. | |
### | |
# Enable Asynchronous processing | |
$ActionQueueType LinkedList | |
# Set the filename for the queue. This also enables "disk mode" (what is disk mode?) | |
$ActionQueueFileName devsyslogqueue | |
# Number of times to retry sending to remote host. ('-1' is infinite) | |
$ActionResumeRetryCount -1 | |
# Save in-memory data to disk if rsyslog is shut down. | |
$ActionQueueSaveOnShutdown on | |
# Send logs to remove rsyslog via TCP | |
*.* @@developer-syslog.hidden.dom | |
### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment