Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

rsyslog

Server

vim /etc/rsyslog.conf

provides TCP syslog reception

module(load="imtcp")
input(type="imtcp" port="50514")

provides UDP syslog reception

module(load="imudp")
input(type="imudp" port="514")

allowed senders

$AllowedSender UDP, 192.168.43.0/24, [::1]/128, *.example.net, servera.example.com
$AllowedSender TCP, 192.168.43.0/24, [::1]/128, *.example.net, servera.example.com

templates

$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" *.* ?RemInputLogs

logs

tail -5 /var/log/remotelogs/192.168.43.214/sshd.log

Send logs to remote syslog server over UDP

auth,authpriv.* @192.168.43.154:514

Send logs to remote syslog server over TCP

*.* @@192.168.43.154:514

systemctl

● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-05-18 12:56:46 CDT; 5s ago
     Docs: man:rsyslogd(8)
           https://www.rsyslog.com/doc/
 Main PID: 3551 (rsyslogd)
    Tasks: 4 (limit: 4915)
   CGroup: /system.slice/rsyslog.service
           └─3551 /usr/sbin/rsyslogd -n -iNONE

May 18 12:56:51 raspberrypi rsyslogd[3551]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1901.0 try https://www.rs
May 18 12:56:51 raspberrypi rsyslogd[3551]: omfwd: TCPSendBuf error -2027, destruct TCP Connection to 192.168.1.14:514 [v8.1901.0 try http
May 18 12:56:51 raspberrypi rsyslogd[3551]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be m
May 18 12:56:51 raspberrypi rsyslogd[3551]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1901.0 try https://www.rs
May 18 12:56:51 raspberrypi rsyslogd[3551]: omfwd: TCPSendBuf error -2027, destruct TCP Connection to 192.168.1.14:514 [v8.1901.0 try http
May 18 12:56:51 raspberrypi rsyslogd[3551]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be m
May 18 12:56:51 raspberrypi rsyslogd[3551]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1901.0 try https://www.rs
May 18 12:56:51 raspberrypi rsyslogd[3551]: omfwd: TCPSendBuf error -2027, destruct TCP Connection to 192.168.1.14:514 [v8.1901.0 try http
May 18 12:56:51 raspberrypi rsyslogd[3551]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be m
May 18 12:56:51 raspberrypi rsyslogd[3551]: action 'action-0-builtin:omfwd' resumed (module 'builtin:omfwd') [v8.1901.0 try https://www.rs
May 18 12:56:51 raspberrypi rsyslogd[3551]: omfwd: TCPSendBuf error -2027, destruct TCP Connection to 192.168.1.14:514 [v8.1901.0 try http

status

pi@raspberrypi:~ $ sudo systemctl status syslog.service
● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-05-18 12:57:35 CDT; 3s ago
     Docs: man:rsyslogd(8)
           https://www.rsyslog.com/doc/
 Main PID: 3597 (rsyslogd)
    Tasks: 4 (limit: 4915)
   CGroup: /system.slice/rsyslog.service
           └─3597 /usr/sbin/rsyslogd -n -iNONE

May 18 12:57:35 raspberrypi systemd[1]: Starting System Logging Service...
May 18 12:57:35 raspberrypi rsyslogd[3597]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.1901.0]
May 18 12:57:35 raspberrypi rsyslogd[3597]:  [origin software="rsyslogd" swVersion="8.1901.0" x-pid="3597" x-info="https://www.rsyslog.com
May 18 12:57:35 raspberrypi systemd[1]: Started System Logging Service.