rsyslog

08/07/2020

create a rsyslog server with docker

add this in docker-compose.yml

rsyslog:
    image: jumanjiman/rsyslog
    container_name: rsyslog
    restart: always
    hostname: rsyslog
    environment:
        - "TZ=Europe/Paris"
    volumes:
        - ./rsyslog/rsyslog.conf:/etc/rsyslog.conf

add this in rsyslog.conf

# activate tcp listen
module(load="imtcp")
input(type="imtcp" port="514")

# activate udp listen
module(load="imudp")
input(type="imudp" port="514")

# activate unix socket listen
module(load="imuxsock")
input(type="imuxsock" Socket="/var/run/rsyslog/dev/log" CreatePath="on")

# echo all to stdout
module(load="omstdout")
*.* :omstdout:

# send periodically a --MARK-- message
module(load="immark")

and run to see logs

docker-compose up rsyslog

send logs from inside the container

docker exec -ti rsyslog /bin/sh
logger info

send logs from outside with nodejs

var syslog = require("syslog-client");
var os = require('os');

var options = {
    syslogHostname: os.hostname(),
    transport: syslog.Transport.Tcp,
    port: 514
};

var client = syslog.createClient("127.0.0.1", options);

client.log("example message");

logs are written here : /var/log/syslog

Jul  8 10:19:56 8bdde78e750a example message

send logs with docker driver

run this

docker run --rm -ti --log-driver syslog --log-opt "syslog-address=tcp://raphaelpiccolo.com:1234" busybox sh -c "while true; do id; sleep 1; done"

on another window start this, it will receive logs

nc -l 1234

you get this

<30>Jan 22 22:45:25 02f812ae49b3[1661]: uid=0(root) gid=0(root) groups=10(wheel)

manually create a rsyslog server

install

apt update && apt install rsyslog

create /etc/rsyslog.conf

comment this
module(load="imklog" permitnonkernelfacility="on")
uncomment
module(load="imtcp")
input(type="imtcp" port="514")
and
module(load="imudp")
input(type="imudp" port="514")

this is the full file

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
#module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

and start it

systemctl start rsyslog

create a rsyslog client (not tested)

in the conf just add this

*. *  @@192.168.100.10:514