How to Setup RSYSLOG | Ubuntu / CentOS
Environment
Content
Ubuntu:
Configure rsyslog to filter based on prefix. Edit /etc/rsyslog.d/20-ufw.conf
Configure UFW log rotation /etc/logrotate.d/ufw
CentOS:
Configure iptables to use a unqiue prefix. For example:
Edit /etc/rsyslog.d/iptables.conf
Configure iptables log rotation /etc/logrotate.d/iptables
References
Log iptables Messages to a Separate File with rsyslog (Random Bits)
System: Controlling what logs where with rsyslog.conf (The Art of Web)
https://www.digitalocean.com/community/tutorials/how-to-manage-logfiles-with-logrotate-on-ubuntu-16-04
Update
- Ubuntu
- CentOS
Content
Ubuntu:
apt-get install rsyslog
Configure rsyslog to filter based on prefix. Edit /etc/rsyslog.d/20-ufw.conf
:msg, contains, "[UFW " -/var/log/ufw.log
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& ~
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& ~
Configure UFW log rotation /etc/logrotate.d/ufw
/var/log/ufw.log {
#Log files are rotated count times before being removed or mailed to the address specified in a mail directive
rotate 4
weekly
#If the log file is missing, go on to the next one without issuing an error message
missingok
#Do not rotate the log if it is empty
notifempty
compress
delaycompress
#Check all the logs for that configuration block before running the postrotate script. If one or both of the logs is rotated, the postrotate script runs only once. If none of the logs is rotated, the postrotate script doesn’t run
sharedscripts
postrotate
invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
endscript
}
#Log files are rotated count times before being removed or mailed to the address specified in a mail directive
rotate 4
weekly
#If the log file is missing, go on to the next one without issuing an error message
missingok
#Do not rotate the log if it is empty
notifempty
compress
delaycompress
#Check all the logs for that configuration block before running the postrotate script. If one or both of the logs is rotated, the postrotate script runs only once. If none of the logs is rotated, the postrotate script doesn’t run
sharedscripts
postrotate
invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
endscript
}
logrotate /etc/logrotate.conf --debug
CentOS:
yum install rsyslog
Configure iptables to use a unqiue prefix. For example:
iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Edit /etc/rsyslog.d/iptables.conf
:msg, contains, "iptables: " -/var/log/iptables.log
#& ~
#& ~
Configure iptables log rotation /etc/logrotate.d/iptables
/var/log/iptables.log {
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
endscript
}
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
endscript
}
References
Log iptables Messages to a Separate File with rsyslog (Random Bits)
System: Controlling what logs where with rsyslog.conf (The Art of Web)
https://www.digitalocean.com/community/tutorials/how-to-manage-logfiles-with-logrotate-on-ubuntu-16-04
Update