/rsyslog

Express 42 rsyslog cookbook

Primary LanguageRuby

Description

Installs and configures rsyslog v7 and v8. Provides LWRP for creating rules.

Requirements

Rsyslog native package or latest rsyslog stable package from official repository.

Platform:

  • Ubuntu 12.04
  • Ubuntu 14.04
  • Ubuntu 16.04

Attributes

  • node['rsyslog']['version'] - Major Rsyslog version. Defaults to 7
  • node['rsyslog']['modules']['default_modules'] - Defaults to "%w(imuxsock imklog)".
  • node['rsyslog']['modules']['extra_modules'] - Defaults to "[ ... ]".
  • node['rsyslog']['preservefqdn'] - Defaults to "off".
  • node['rsyslog']['global']['ActionFileDefaultTemplate'] - Defaults to "RSYSLOG_TraditionalFileFormat".
  • node['rsyslog']['global']['RepeatedMsgReduction'] - Defaults to "on".
  • node['rsyslog']['global']['FileOwner'] - Defaults to "syslog".
  • node['rsyslog']['global']['FileGroup'] - Defaults to "adm".
  • node['rsyslog']['global']['FileCreateMode'] - Defaults to "0640".
  • node['rsyslog']['global']['DirCreateMode'] - Defaults to "0755".
  • node['rsyslog']['global']['Umask'] - Defaults to "0022".
  • node['rsyslog']['global']['PrivDropToUser'] - Defaults to "syslog".
  • node['rsyslog']['global']['PrivDropToGroup'] - Defaults to "syslog".
  • node['rsyslog']['global']['WorkDirectory'] - Defaults to "/var/spool/rsyslog".
  • node['rsyslog']['rules']['postfix']['selector'] - Defaults to "mail.*".
  • node['rsyslog']['rules']['postfix']['action'] - Defaults to "/var/spool/rsyslog".

Recipes

  • rsyslog::default - Installs and configures rsyslog.
  • rsyslog::apt_official_repo - Configures rsyslog official repository.

Resources

LWRP

rule

Create loging rules for rsyslog

Parameters

Parameter Description Example Required? Default
selector Facilities and priorities from log selectors separated by period(.) ""auth,authpriv.*"" Y nil
log_action Where to sent filtered records "/var/log/mydaemon.log" Y nil
priority Priority loading for generated conf file 15 Y 20

rule_input

Create rules for getting arbitrary log files into rsyslg

Parameters

Parameter Description Example Required? Default
prioriy Priority loading for generated conf file 15 Y 20
filename Logfile source from which we polling records "/home/myapp/current/log/production.log" Y nil
severity Severity level "Error" N Info
facility Group logs by facility "security" N daemon
persist_interval Interval for polling in ms "30000" N 1000

template

Create template to specify the log format

Parameters

Parameter Description Example Required? Default
type Type of template, list or string is available. 'list' Y nil
statement statement defined to created template "/var/log/system-%HOSTNAME%.log" Y nil

action

Create action to send logs using output modules

Parameters

Parameter Description Example Required? Default
type Type of action. 'omfwd' Y nil
rule Rule for used action 'target="graylog.example.org" port="12201" protocol="udp" template="gelf"' Y nil
priority Priority for created action configuration file 30 N nil

propery_based_filter

Create filter using property based filter instead BSD style with facility and severity

Parameters

Parameter Description Example Required? Default
property Rsyslog property, see list of all properties on official documentation site. http://www.rsyslog.com/doc/v8-stable/configuration/properties.html ':fromhost' Y nil
operator compare-operations or regex 'contains' Y nil
match_string Matched string in used operator 'firewall: IN=' Е nil
log_file Resulted log file '/var/log/firewall' Е nil

Usage

  • Include recipe[rsyslog] in node runlist
  • Include recipe[rsyslog::apt_official_repo] if you need install fresh versions from official repository

Using rsyslog_rule

If you want to log all message from mail facility:

rsyslog_rule 'random-mail-service' do
  priority 15
  selector 'mail.*'
  log_action '-/var/log/mail.log'
end

Or if you want to send all messages to remote server:

rsyslog_rule 'udp-remote' do
  selector '*.*'
  log_action '@logs.example.com:514'
end

Using rsyslog_rule_input

Before using input rule you need to specify imfile module in extra_modules attribute.

rsyslog_rule_input "unicorn-rails" do
  priority 15
  filename "/home/rocketbank/rocketbank/current/log/production.log"
  severity "error"
end

Using template

Create template for GELF ouput using in rules (need lots of escaping currently)

rsyslog_template 'gelf' do
  type 'list'
  statement 'constant(value="{\"version\":\"1.1\",")
  constant(value="\"host\":\"")
  property(name="hostname")
  constant(value="\",\"short_message\":\"")
  property(name="msg" format="json")
  constant(value="\",\"timestamp\":\"")
  property(name="timegenerated" dateformat="unixtimestamp")
  constant(value="\",\"level\":\"")
  property(name="syslogseverity")
  constant(value="\"}")'
end

Using action

Create actions for sending output data to graylog server using GELF protocol

rsyslog_action 'gelf_output' do
  type 'omfwd'
  rule 'target="graylog.example.org" port="12201" protocol="udp" template="gelf"'
end

Sends data go kafka first, instead logging server

rsyslog_action 'kafka_output' do
  type 'omkafka'
  rule 'broker=['kafka01.exampler.org:9092', 'kafka02.exampler.org:9092'] topic="logger" confParam=["compression.codec=snappy"]'
end

Using propery_based_filter

Create propery matching all logs stated with [YII] in syslog and organizing it in separate cron_exceptions logfile

rsyslog_property_based_filter 'cron_exceptions' do
  property ':msg'
  operator 'regex'
  match_string '\[YII\].*'
  log_file '-/var/log/cron_exceptions'
end

See fixture cookbooks in tests/fixtures/cookbooks.

License and Maintainer

Maintainer:: LLC Express 42 (cookbooks@express42.com)

License:: MIT