Rsyslog has some very useful features when building a centralized syslog system. If you are not currently centralizing your logs or have not organized them in an efferent way for analysis, this post will get you started in the right direction.
To understand how to create a filter, you must understand the basic breakdown of the message format. Below is a visual representation of a basic log. The rawmsg is the entire syslog line. If you use this in your filter, it will check the entire line for a match. The hostname field can match a name or an IP address. The programname field normally lists the application that created the log and the msg field is anything after the programname.
|-------------------------------------rawmsg--------------------------------------| |-----Date-----|-----Hostname----|programname|-----------------msg----------------| Aug 14 02:38:01 SIFT-Workstation rsyslogd: rsyslogd's userid changed to 101
To setup all logs for a Linux system to forward to your central log server simply change the /etc/rsyslog.conf file and replace the IP address of your syslog server with (192.168.1.1) in following line:
If you only want to forward a type of application logs to syslog, be more specific about what you want to send. If you do not need all the information in a log, filter out the noise. This will save disk space and speed up processing. In this example, we are only sending apache logs to the server.
If $programname contains ‘apache’ then @192.168.1.1:514
To send the logs via UDP use one ‘@’ sign and to send the logs via TCP use two ‘@@’ signs.
If $progrmname contains ‘apache’ then @@192.168.1.1:514
Once you have several devices reporting to your syslog server, you will need to break the logs into different files to make analysis easier. Most often, you will want to group logs by application. Some of the common operators for filtering are contains, isequal, and startswith.
If you want rsyslog to stop process the line once you have a match, use & ~ on the next line. This prevents the line from being entered into multiple files (e.g. /var/log/my-log and /var/log/syslog).
To place all logs from one IP address into a single log, use the below example. It takes anything from the IP 10.10.41.12 and adds it to the /var/log/mail.log.
if $fromhost-ip == '10.10.41.12' then /var/log/mail.log
For devices in a cluster, you will likely want both device logs in the same file. In the following example both IP 10.10.10.3 and 10.10.10.4 logs are placed into the /var/log/firewall.log.
if ($fromhost-ip == '10.10.10.3' or $fromhost-ip == '10.10.10.4')
Use a partial IP match for lots of devices on a couple of subnets. In this example, anything that has a 10.20.0 address or 10.30.0 is placed into /var/log/load-balance.log. Rsyslog cannot use CIDR notation for subnets, but in most cases, this is a decent replacement.
if ($hostname contains '10.20.0' or $hostname contains '10.30.0') then/var/log/load.log
To create a log for all authentications, the rule below will take any message that contains ‘auth’ and place it into the /var/log/remote-auth.log file.
if $msg contains 'auth' then /var/log/remote-auth.log
A more complex filter to match both authentications and the word fail, use the below example.
If $msg contains ‘auth’ and $msg contains ‘fail’ then /var/log/remote-fail.log
Rsyslogs support very complex logic and syntax. For more information, visit the following links.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.