How to Setup RSYSLOG | Ubuntu / CentOS

Environment
  • Ubuntu
  • CentOS
 

Content
Ubuntu:
apt-get install rsyslog

Configure rsyslog to filter based on prefix. Edit /etc/rsyslog.d/20-ufw.conf
:msg, contains, "[UFW " -/var/log/ufw.log

# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& ~

Configure UFW log rotation /etc/logrotate.d/ufw
/var/log/ufw.log {
   #Log files are rotated count times before being removed or mailed to the address specified in a mail directive
   rotate 4

   weekly

   #If the log file is missing, go on to the next one without issuing an error message
   missingok

   #Do not rotate the log if it is empty
   notifempty

   compress
   delaycompress

   #Check all the logs for that configuration block before running the postrotate script. If one or both of the logs is rotated, the postrotate script runs only once. If none of the logs is rotated, the postrotate script doesn’t run
   sharedscripts

   postrotate
      invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
   endscript
}


logrotate /etc/logrotate.conf --debug


CentOS:
yum install rsyslog

Configure iptables to use a unqiue prefix. For example:
iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Edit /etc/rsyslog.d/iptables.conf
:msg, contains, "iptables: " -/var/log/iptables.log
#& ~

Configure iptables log rotation /etc/logrotate.d/iptables
/var/log/iptables.log {
   rotate 4
   weekly
   missingok
   notifempty
   compress
   delaycompress
   sharedscripts

   postrotate
      invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
   endscript
}



References
Log iptables Messages to a Separate File with rsyslog (Random Bits)

System: Controlling what logs where with rsyslog.conf (The Art of Web)

https://www.digitalocean.com/community/tutorials/how-to-manage-logfiles-with-logrotate-on-ubuntu-16-04



Update