Overview
This article explains how rsyslog is used for log processing on the UniFi Switch Leaf (USW-Leaf). It is easy to run out of the box and it has a wide variety of options to configure. The rsyslog utility may be configured using both RainerScript syntax or old-style syntax. RainerScript is used in the examples of this article. Note that log rotation is defined in logrotate config, which is run by cron hourly.
- Currently controller configuration for rsyslog is NOT applied, but this feature was designed to use generated config files. Modifying these files is NOT recommended.
- Also, be aware that configuration files are NOT preserved during the reboot without executing the writeback command. Please, see the example below on how to save your config to persistent storage
Table of Contents
How to Configure rsyslog & logrotate
There are no strict limitations on configuration, the instructions provided below are just a recommended way to configure logging. To follow the original documentation on rsyslog please see: https://www.rsyslog.com/doc/v8-stable/configuration/
1. Create your own configuration file /etc/rsyslog.d/my_config.conf
In the example below, logs with severity level higher than debug are saved locally to /var/log/messages using my_template format.
In the following example logs are sent to multiple remote servers simultaneously. Logs with severity level higher than warning are sent to remote logging server 10.0.0.1:514 using the same my_template format. Logs with any severity are sent to 10.0.0.2:512 using RSYSLOG_ForwardFormat.
/etc/rsyslog.d/my_config.conf |
### Log template ### |
2. Exclude system-generated rsyslog configuration and include your newly created one in /etc/rsyslog.conf
/etc/rsyslog.conf |
###################################################### |
3. Add your own logrotate config for locally written logs in /etc/logrotate.d/my_config.conf
In the example, /var/log/messages will be rotated daily or when exceeding the size of 2 Mb. Note that cron runs logrotate once an hour, so the actual size of the rotated file may be bigger than maxsize. The maximum amount of rotated files to keep is 3.
/etc/logrotate.d/my_config.conf |
/var/log/messages { |
4. Exclude system-generated logrotate config and include newly created one in /etc/logrotate.conf
/etc/logrotate.conf |
compress |
5. To preserve the config after the reboot, save all the configurations to persistent storage.
# writeback /etc/rsyslog.conf
# writeback /etc/rsyslog.d/my_config.conf
# writeback /etc/logrotate.conf
# writeback /etc/logrotate.d/my_config.conf
6. To apply the new configuration, restart rsyslog.
# /etc/init.d/S01logging restart
Configuration Files Location and Use
All the configurations are located in the following files:
Component | File Path | Should it be modified by user? | Description |
rsyslog | /etc/rsyslog.conf | Main rsyslog configuration file. Modify this file as needed. By default, this file just includes generated files in /etc/rsyslog.d/generated/ and all /etc/rsyslog.d/*.conf. To exclude the system-generated configs by default, just comment the lines that include configs. To preserve this file between the reboots, use writeback. |
|
/etc/rsyslog.d/*.conf | Add your own configuration files to /etc/rsyslog.d/. Do not forget to include them in /etc/rsyslog.conf or add the extension *.conf (by default, *.conf files are included in /etc/rsyslog.conf). To preserve this file between the reboots, use writeback. |
||
/etc/rsyslog.d/generated/ | Directory for system-generated configurations. It is NOT recommended to edit these files as they may be later overwritten by one of the plugins. If you need to exclude these configs, comment the corresponding lines in /etc/rsyslog.conf | ||
/etc/rsyslog.d/generated/template.conf | Template for logs. It always includes ubnt_template. One of the plugins MAY add additional template ubnt_prefix_template in the future, which is needed for sending logs to the remote server with system identification prefix. | ||
/etc/rsyslog.d/generated/local.conf | Default config file for local logging. By default, all the logs (except authentication, mail and cron logs) with any severity level are logged to /var/log/messages. | ||
/etc/rsyslog.d/generated/remote.conf | Default config file for remote logging. By default, no remote logging is performed. | ||
logrotate | /etc/logrotate.conf | General config for logrotate. It is not recommended to touch any option in this file except ‘includes’. By default, this file includes a system-generated rsyslog config /etc/logrotate.d/generated/rsyslog.conf and all /etc/rsyslog.d/*.conf. To exclude the system-generated configs by default, just comment on the lines that include that config. |
|
/etc/logrotate.d/*.conf | Add your configuration files here. By default, all files, which have an extension *.conf and located in /etc/logrotate.d/, are included in /etc/logrotate.conf. | ||
/etc/logrotate.d/generated/rsyslog.conf | System-generated config for rotating the files, created by rsyslog. It is NOT recommended to edit this file, as it may be overwritten. To exclude this config, just comment the appropriate line in /etc/logrotate.conf, add your own config file to /etc/logrotate.d/ and include it in /etc/logrotate.conf. | ||
cron | /etc/cron.hourly/logrotate | By default, cron runs logrotate once an hour, so the actual size of rotated files may be bigger. However, one-hour logrotate interval is enough for most cases. |