2. # rsyslog configuration file
    4. # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    5. # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
    7. #### MODULES ####
    9. # The imjournal module bellow is now used as a message source instead of imuxsock.
    10. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    11. $ModLoad imjournal # provides access to the systemd journal
    12. #$ModLoad imklog # reads kernel messages (the same are read from journald)
    13. #$ModLoad immark  # provides --MARK-- message capability
    15. # Provides UDP syslog reception
    16. $ModLoad imudp
    17. $UDPServerRun 514
    19. # Provides TCP syslog reception
    20. $ModLoad imtcp
    21. $InputTCPServerRun 514
    24. #### GLOBAL DIRECTIVES ####
    26. # Where to place auxiliary files
    27. $WorkDirectory /var/lib/rsyslog
    29. # Use default timestamp format
    30. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    32. $template Remote,"/data/logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
    33. :fromhost-ip, !isequal, "127.0.0.1" ?Remote
    36. # File syncing capability is disabled by default. This feature is usually not required,
    37. # not useful and an extreme performance hit
    38. #$ActionFileEnableSync on
    40. # Include all config files in /etc/rsyslog.d/
    41. $IncludeConfig /etc/rsyslog.d/*.conf
    43. # Turn off message reception via local log socket;
    44. # local messages are retrieved through imjournal now.
    45. $OmitLocalLogging on
    47. # File to store the position in the journal
    48. $IMJournalStateFile imjournal.state
    51. #### RULES ####
    53. # Log all kernel messages to the console.
    54. # Logging much else clutters up the screen.
    55. #kern.*                                                 /dev/console
    57. # Log anything (except mail) of level info or higher.
    58. # Don't log private authentication messages!
    59. *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    61. # The authpriv file has restricted access.
    62. authpriv.*                                              /var/log/secure
    64. # Log all the mail messages in one place.
    65. mail.*                                                  -/var/log/maillog
    68. # Log cron stuff
    69. cron.*                                                  /var/log/cron
    71. # Everybody gets emergency messages
    72. *.emerg                                                 :omusrmsg:*
    74. # Save news errors of level crit and higher in a special file.
    75. uucp,news.crit                                          /var/log/spooler
    77. # Save boot messages also to boot.log
    78. local7.*                                                /var/log/boot.log
    82. ## Cisco asa log
    83. #$template myformat,"%FROMHOST-IP%: %msg:2:$%\n"
    84. #$template cisco,"/audit/cisco-asa/%FROMHOST-IP%.log"  
    85. #local4.* ?cisco;myformat
    87. # ### begin forwarding rule ###
    88. # The statement between the begin ... end define a SINGLE forwarding
    89. # rule. They belong together, do NOT split them. If you create multiple
    90. # forwarding rules, duplicate the whole block!
    91. # Remote Logging (we use TCP for reliable delivery)
    92. #
    94. #
    95. # An on-disk queue is created for this action. If the remote host is
    96. # down, messages are spooled to disk and sent when it is up again.
    97. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    98. #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
    99. #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    100. #$ActionQueueType LinkedList   # run asynchronously
    101. #$ActionResumeRetryCount -1    # infinite retries if host is down
    102. # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    103. *.*                     /audit/audit.log
    104. # ### end of the forwarding rule ###