Pexip RP send logs to remote syslog server

rsyslog is an application that allows for local logs on the RP to be sent to another host for log consolidation. Below is a procedure that I have used to send logs from a Pexip RP to a remote syslog destination.

The following logs are what I am send to the remote destination. You can add more if you wish:

  • /var/log/nginx/*access.log
  • /var/log/nginx/*error.log
  • /var/log/fail2ban.log
  • /var/log/syslog

Steps:

Edit the /etc/rsyslog.conf file:

sudo nano /etc/rsyslog.conf

In the MODULES section, add $ModLoad imfile

#################
#### MODULES ####
#################
$ModLoad imfile

Now save the file ( CTRL + x then yes )

Create an rsyslog config file for Nginx and fail2ban:

sudo nano /etc/rsyslog.d/pexlog.conf

 

Paste in the below, be sure to add the IP address or FQDN of you external syslog server where it says <remote-ip>

# destination syslog server
*.* @<remote-ip>:514

# nginx error log
$InputFileName /var/log/nginx/*error.log
$InputFileTag nginx:
$InputFileStateFile stat-nginx-error
$InputFileSeverity error
$InputFileFaility local6
$InputFilePollInterval 1
$InputRunFileMonitor

# nginx access log
$InputFileName /var/log/nginx/*access.log
$InputFileTag nginx:
$InputFileStateFile stat-nginx-access
$InputFileSeverity notice
$InputFileFaility local6
$InputFilePollInterval 1
$InputRunFileMonitor

# fail2ban log
$InputFileName /var/log/fail2ban.log
$InputFileTag fail2ban:
$InputFileStateFile fail2ban
$InputFileSeverity notice
$InputFileFaility local6
$InputFilePollInterval 1
$InputRunFileMonitor

Note:

@<remote-ip>:514 will send to port 514 UDP

@@<remote-ip>:514 will send to port 514 TCP

Now restart rsyslog:

sudo service rsyslog restart

Now you are done.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s