jpf/gist:104057

## gistfile1.sh
#rsyslog SERVER
# Activate kernel logging
$ModLoad imklog
# Activate TCP logging
$ModLoad imtcp
# Activate UDP logging
$ModLoad imudp
# Activate unix socket logging (used by syslog(3) system calls)
$ModLoad imuxsock
# Activate the 'ommail' module, used to forward messages via SMTP
$ModLoad ommail

# Configuration for ommail
$ActionMailSMTPServer localhost
$ActionMailFrom hidden@hidden.dom
$ActionMailTo hidden@hidden.dom
$template mailSubject,"rsyslog message from %programname% on %hostname%"
$template mailBody,"Message: '%msg%'"
$ActionMailSubject mailSubject
# Limits the number of emails that we will send.
# Only one message will be sent per interval, all other messages will be dropped.
$ActionExecOnlyOnceEveryInterval 60 # 1 minute

# Disable UDP since we don't seem to need it. Also disabled to avoid a syslog DDOS as UDP packets can be easily forged.
# $UDPServerRun 514
$InputTCPServerRun 514
# NOTE: "Rsyslogd handles allowed sender detection very early in the code,
#             nearly as the first action after receiving a message.
#             This keeps the access to potential vulnerable code in rsyslog at a minimum.
#             However, it is still a good idea to impose allowed sender limitations via firewalling."
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/8

# Seperate logs into directories and files by year, month, day, and remote ip (not hostname as that might be unique across hosts).
# Year, month, day and hostname are preserved in file names to simpliy backup and offsite reading.
# For example: /var/log/rsyslog/2009/03/02/10.10.10.1/2009-03-02-monkey.log
$template DailyPerHostLogs,"/mnt/storage/log/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%$YEAR%-%$MONTH%-%$DAY%_%fromhost-ip%-%HOSTNAME%.log"
$template DailyAuthLogs,"/mnt/storage/log/rsyslog/auth/%$YEAR%/%$MONTH%/%$YEAR%-%$MONTH%-%$DAY%-auth.log"

*.*	-?DailyPerHostLogs
auth,authpriv.* ?DailyAuthLogs

# 'local0.emerg' is what we use for syslog messages that we want to end up in email.
local0.emerg :ommail:;mailBody

:rawmsg, regex, "snmpd.*Connection from UDP"  ~

# Directory for spool and other work files
$WorkDirectory /tmp

##
# Send all log messages to the developer syslog server using a memory/disk buffer.
###
# Enable Asynchronous processing
$ActionQueueType LinkedList
# Set the filename for the queue. This also enables "disk mode" (what is disk mode?)
$ActionQueueFileName devsyslogqueue
# Number of times to retry sending to remote host. ('-1' is infinite)
$ActionResumeRetryCount -1
# Save in-memory data to disk if rsyslog is shut down.
$ActionQueueSaveOnShutdown on
# Send logs to remove rsyslog via TCP
*.*	@@developer-syslog.hidden.dom
###
	#rsyslog SERVER
	# Activate kernel logging
	$ModLoad imklog
	# Activate TCP logging
	$ModLoad imtcp
	# Activate UDP logging
	$ModLoad imudp
	# Activate unix socket logging (used by syslog(3) system calls)
	$ModLoad imuxsock
	# Activate the 'ommail' module, used to forward messages via SMTP
	$ModLoad ommail

	# Configuration for ommail
	$ActionMailSMTPServer localhost
	$ActionMailFrom hidden@hidden.dom
	$ActionMailTo hidden@hidden.dom
	$template mailSubject,"rsyslog message from %programname% on %hostname%"
	$template mailBody,"Message: '%msg%'"
	$ActionMailSubject mailSubject
	# Limits the number of emails that we will send.
	# Only one message will be sent per interval, all other messages will be dropped.
	$ActionExecOnlyOnceEveryInterval 60 # 1 minute

	# Disable UDP since we don't seem to need it. Also disabled to avoid a syslog DDOS as UDP packets can be easily forged.
	# $UDPServerRun 514
	$InputTCPServerRun 514
	# NOTE: "Rsyslogd handles allowed sender detection very early in the code,
	# nearly as the first action after receiving a message.
	# This keeps the access to potential vulnerable code in rsyslog at a minimum.
	# However, it is still a good idea to impose allowed sender limitations via firewalling."
	$AllowedSender TCP, 127.0.0.1, 10.0.0.0/8

	# Seperate logs into directories and files by year, month, day, and remote ip (not hostname as that might be unique across hosts).
	# Year, month, day and hostname are preserved in file names to simpliy backup and offsite reading.
	# For example: /var/log/rsyslog/2009/03/02/10.10.10.1/2009-03-02-monkey.log
	$template DailyPerHostLogs,"/mnt/storage/log/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%$YEAR%-%$MONTH%-%$DAY%_%fromhost-ip%-%HOSTNAME%.log"
	$template DailyAuthLogs,"/mnt/storage/log/rsyslog/auth/%$YEAR%/%$MONTH%/%$YEAR%-%$MONTH%-%$DAY%-auth.log"

	. -?DailyPerHostLogs
	auth,authpriv.* ?DailyAuthLogs

	# 'local0.emerg' is what we use for syslog messages that we want to end up in email.
	local0.emerg :ommail:;mailBody

	:rawmsg, regex, "snmpd.*Connection from UDP" ~

	# Directory for spool and other work files
	$WorkDirectory /tmp

	##
	# Send all log messages to the developer syslog server using a memory/disk buffer.
	###
	# Enable Asynchronous processing
	$ActionQueueType LinkedList
	# Set the filename for the queue. This also enables "disk mode" (what is disk mode?)
	$ActionQueueFileName devsyslogqueue
	# Number of times to retry sending to remote host. ('-1' is infinite)
	$ActionResumeRetryCount -1
	# Save in-memory data to disk if rsyslog is shut down.
	$ActionQueueSaveOnShutdown on
	# Send logs to remove rsyslog via TCP
	. @@developer-syslog.hidden.dom
	###