Intro to rsyslog

Red Hat uses rsyslog for generating log files. rsyslog can be configured to for log local events only, to send log messages to a remote log server, and/or to recieve log messages from other systems.

Installing rsyslog

rsyslog Is typically installed by default.

rsyslog Configuration

rsyslog is configured in '/etc/rsyslog.conf'. If remote logging is configured, the default port for transfer is 514 (TCP or UDP) to send and receive the log entries.

Table 7.2. rsyslog Critical Terminology

Term Description[a]
'facility' A name that indicates what the message concerns or from what service it originates.
'priority' A name that indicates the importance of the messages in that category.
'action' A specific task that will take place when an event generates a log file entry.

[a] The man pages for `logger`(1) and `syslog`(3) have more information. The man page for rsyslog is under rsyslogd(8). Add'l extensive documentation is in '/usr/share/doc/rsyslog-x.x.xx/index.html'.


In '/etc/rsyslog.conf' in the "RULES" section, ensure that a rule exists (or write one) for the kind of messages you want to send. The format is <facility>.<priority> <action>.

facility is configured as one of the following:

  • auth
  • authpriv
  • cron
  • daemon
  • kern
  • lpr
  • mail
  • news
  • syslog
  • user
  • uucp
  • local0-7
  • "*"

priority is configured as one of the following (in ascending priority):

  • debug
  • info
  • notice
  • warning (warn)
  • err (error)
  • crit
  • alert
  • emerg (panic)
  • none
  • "*"

Multiple facilities can be specified with the same priority with the use of a comma.

uucp,news.crit       /var/log/spooler

Multiple selectors (facility/priority pairs) can be specified for the same action with the use of a semicolon.

*.info;mail.none;authpriv.none;cron.none   /var/log/messages

Rsyslog Configuration: Actions - One of the following:

  • A file, specified with a full path name.
  • A named pipe (fifo).
  • A terminal (tty) or console.
  • A remote machine's IP or hostname, prefaced with "@" (for UDP), "@@" (for TCP), or ":omrelp:" for the RELP protocol.
  • A list of users (comma-delimited). This notifies them via console message if they are logged in. An asterisk (*) includes all logged-in users.
  • A tilde, to indicate that these messages should be discarded.
  • See the documentation for others.

Accepting Remote Logs

By default, rsyslog is configured for only local logging. To enable it to receive log messages from other systems, uncomment one of the following groups of lines in the config file (depending on which transport protocol, tcp or udp, you prefer to use).

To receive external logs via UDP, which is more widely supported but less reliable, uncomment the following directives:

# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514

To receive external logs via TCP, which is less widely supported but more reliable, uncomment the following directives:[16]

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

The following stanza in /etc/rsyslog.conf must be copied and amended on the client machine to configure it to send logs to the remote server.

    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    $WorkDirectory /var/lib/rsyslog # where to place spool files
    $ActionQueueFileName fwdRule1 # unique name prefix for spool files
    $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    $ActionQueueType LinkedList   # run asynchronously
    $ActionResumeRetryCount -1    # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    *.* @@192.168.5.201:514
    # ### end of the forwarding rule ###

After changing the appropriate lines, restart the service, open the firewall on port 514, and check `chkconfig` to ensure that the rsyslog service will start at boot.

rsyslog as a Service

The service that runs rsyslog is called rsyslogd.

Commands to Manipulate rsyslog

As with most (all?) services on the machine, rsyslogd can be manipulated with `service rsyslogd {start|stop|restart|etc}`.

Securing rsyslog

The rsyslog daemon runs on port 514. That port will need to be opened in the firewall to allow traffic if the server is set up to receive remote logs. The following commands will expose the aspects of SELinux that apply to rsyslog.

    semanage fcontext -l  | grep syslog
    semanage port -l  | grep syslog
    getsebool -a  | grep syslog

Additional Notes & Considerations for rsyslog

We will attempt to practice the following in class.[17]

  1. Configure one system to receive remote log messages.
  2. Configure the other to log to the remote syslog server.[18]
  3. Use logger to generate test messages.

Another item of importance is the logrotate utility. logrotate runs as a service daemon, and is configured in '/etc/logrotate.conf'. There is a dump directory as well at '/etc/logrotate.d'. This utility will automatically rotate, compress, and archive log files based on a time schedule or the sizes of the log files. See `man logrotate` for details.

Reference Material for this Chapter

For this chapter's supporting material, please reference Chapters 9, 11, & 17 in the RHCSA/RHCE Linux Certification Study Guide text book.



[16] The tcp protocol ensures reliable delivery over the udp protocol. Personally, I want my logs delivered reliably. Therefore, the wise choice is to use the tcp protocol.

[17] If/when there are problems, remember to investigate IP Tables and SELinux considerations.

[18] Extra credit: configure the client to log only a particular facility or priority to the logging server.