rsyslog Configuration with multiple hosts on CentOS 7.x

yum install rsyslog

yum install postfix

chkconfig rsyslog on

sudo mkdir /var/log/syslog

vim /etc/rsyslog.conf

 

Uncomment the UDP and TCP syslog reception items to match below:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Add Template before GLOBAL DIRECTIVES

$template RemoteLogs,”/var/log/syslog/%HOSTNAME%/%$now%.log” *
*.* ?RemoteLogs
& ~

Make sure rsyslog is on on boot and restart it

systemctl enable rsyslog.service

systemctl restart rsyslog.service

 

Setup Email Alerting

$ModLoad ommail
$ActionMailSMTPServer localhost
$ActionMailFrom networkteam@pingpros.com
$ActionMailTo networkteam@pingpros.com
$template mailSubject,”Network Issue on %hostname%”
$template mailBody,”RSYSLOG Alert\nmsg=’%msg%'”
$ActionMailSubject mailSubject
# make sure we receive a mail only once in an
# hours (3600 seconds)
$ActionExecOnlyOnceEveryInterval 3600
# the if … then … mailBody must be on one line!
if ($msg contains ‘BGP’ or $msg contains ‘bgp’ or $msg contains ‘OSPF’ or $msg contains ‘ospf’ or $msg contains ‘FLAP’ or $msg contains ‘down’ or $msg contains ‘DOWN’ or $msg contains ‘SPAN’ or $msg contains ‘span’ or $msg contains ‘loop’ or $msg contains ‘LOOP’ or $msg contains ‘up’ or $msg contains ‘UP’) then :ommail:;mailBody
# re-set interval so that other actions are not affected
$ActionExecOnlyOnceEveryInterval 0

Setup logrotate

sudo vim /etc/logrotate.conf

At very bottom of the file do the following

# Rotate the log daily up to 5 years of retention 365 times 5

/var/log/syslog/*.log /var/log/syslog/*/*.log {
dateext
dateformat .%Y-%m-%d
daily
rotate 1825
compress
}

Test the rotations

logrotate -d /etc/logrotate.conf

Leave a Comment