HOW TO SETUP RSYSLOG TO LISTEN ON UDP AND TCP AND SAVE LOGS TO FOLDER BASED ON IP
Testing with rsyslog server (syslog port 514 on udp and tcp), and pointing client at its ports. All of the ascii characters will show up as log messages
apt-get install rsyslog
vi /etc/rsyslog.conf (make sure conf like below)
/etc/init.d/rsyslog restart
root@debikos71:/var/log# cat /etc/rsyslog.conf
### THIS SHOWS HOW I CONFIGURED MY RSYSLOG FOR UDP AND TCP AND ALSO FOR EACH HOST TO SAVE INFO IN /var/log/<ip>/ ###
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$template FILENAME,”/var/log/%fromhost-ip%/syslog.log”
*.* ?FILENAME
### EVERYTHING BELOW IS TYPICAL DEFAULT CONFIG ###
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
*.emerg :omusrmsg:*
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
HOW TO ENABLE SYSLOG SERVER (from scratch – same as above instructions)
https://wiki.debian.org/DebianEdu/HowTo/syslog-ng
http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/
http://docs.openstack.org/trunk/openstack-ops/content/rsyslog_server_config.html
The old syslog software is syslog
Now the newer one is rsyslog, thats what my debikos machine has
vi /etc/rsyslog.conf
hit i to start writing
Unhash this part or add it in (For TCP):
$ModLoad imtcp
$InputTCPServerRun 514
If you want UDP unhash this – leave it with a hashmark if you dont want it:
$ModLoad imudp
$UDPServerRun 514
NOTE: whatever has a # is a comment
Add this last part in to get IPs:
# This one is the template to generate the log filename dynamically, depending on the client’s IP address.
$template FILENAME,”/var/log/%fromhost-ip%/syslog.log”
*.* ?FILENAME
Save and quit with :wq!
/etc/init.d/rsyslog stop
/etc/init.d/rsyslog start
or
/etc/init.d/rsyslog restart
or
service rsyslog stop
service rsyslog start
or
service rsyslog restart