×

UniFi - USW Leaf: Using rsyslog

Overview

This article explains how rsyslog is used for log processing on the UniFi Switch Leaf (USW-Leaf). It is easy to run out of the box and it has a wide variety of options to configure. The rsyslog utility may be configured using both RainerScript syntax or old-style syntax. RainerScript is used in the examples of this article. Note that log rotation is defined in logrotate config, which is run by cron hourly.

NOTES & REQUIREMENTS:
  • Currently controller configuration for rsyslog is NOT applied, but this feature was designed to use generated config files. Modifying these files is NOT recommended.
  • Also, be aware that configuration files are NOT preserved during the reboot without executing the writeback command. Please, see the example below on how to save your config to persistent storage

Table of Contents

  1. How to Configure rsyslog & logrotate
  2. Configuration Files Location and Use
  3. Related Articles

How to Configure rsyslog & logrotate

Back to Top

There are no strict limitations on configuration, the instructions provided below are just a recommended way to configure logging. To follow the original documentation on rsyslog please see: https://www.rsyslog.com/doc/v8-stable/configuration/

1. Create your own configuration file /etc/rsyslog.d/my_config.conf

In the example below, logs with severity level higher than debug are saved locally to /var/log/messages using my_template format.

In the following example logs are sent to multiple remote servers simultaneously. Logs with severity level higher than warning are sent to remote logging server 10.0.0.1:514 using the same my_template format. Logs with any severity are sent to 10.0.0.2:512 using RSYSLOG_ForwardFormat.

/etc/rsyslog.d/my_config.conf 
### Log template ###
# more: https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
template(name="my_template" type="string"
 string="%HOSTNAME% %TIMESTAMP% %pri-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")

### Rules ###
# more: https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html

## Local logging ##
# Log anything (except mail)
# Don't log private authentication messages!
ruleset(name="send_to_local") {
 *.debug;mail.none;authpriv.none;cron.none action(type="omfile"
 file="/var/log/messages"
 template="my_template")
}
call send_to_local

## Remote logging ##
ruleset(name="send_to_remote_servers") {
 *.warn action(type="omfwd" protocol="tcp"
 target="10.0.0.1" port="514"
 action.resumeRetryCount="-1"
 queue.type="linkedList" queue.size="200000"
 queue.saveOnShutdown="on"
 template="my_template")
 # Add multiple actions to log to multiple remote servers
 *.* action(type="omfwd" protocol="tcp"
 target="10.0.0.2" port="512"
 action.resumeRetryCount="-1"
 queue.type="linkedList" queue.size="200000"
 queue.saveOnShutdown="on"
 template="RSYSLOG_ForwardFormat")
}
call send_to_remote_servers

2. Exclude system-generated rsyslog configuration and include your newly created one in /etc/rsyslog.conf

/etc/rsyslog.conf 
######################################################
### Add your new configs to /etc/rsyslog.d/
### and/or modify this file.
######################################################

#### MODULES ####
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support (previously done by rklogd)

#### GLOBAL DIRECTIVES ####

# Include generated config files (order is important!)
# Use custom log format
# If you need to ignore the generated configuration, comment next 3 lines:
# include(file="/etc/rsyslog.d/generated/template.conf")
# include(file="/etc/rsyslog.d/generated/local.conf")
# include(file="/etc/rsyslog.d/generated/remote.conf")
# Add your config here:
include(file="/etc/rsyslog.d/my_config.conf")

3. Add your own logrotate config for locally written logs in /etc/logrotate.d/my_config.conf

In the example, /var/log/messages will be rotated daily or when exceeding the size of 2 Mb. Note that cron runs logrotate once an hour, so the actual size of the rotated file may be bigger than maxsize. The maximum amount of rotated files to keep is 3.

/etc/logrotate.d/my_config.conf 
/var/log/messages {
        compress
        rotate 3
        daily
        maxsize 2M
        delaycompress
        missingok
        postrotate
                /usr/bin/killall -HUP rsyslogd >/dev/null 2>&1 || true
        endscript
        su root root
}

4. Exclude system-generated logrotate config and include newly created one in /etc/logrotate.conf

/etc/logrotate.conf 
compress
rotate 5
weekly
maxsize 5M
delaycompress
missingok

# Include generated config files
# If you need to reject the generated configuration, comment next line:
# include /etc/logrotate.d/generated/rsyslog.conf

# Include your config here:
include /etc/logrotate.d/my_config.conf

/var/log/npos-gfl.log {
        su root adm
        postrotate
                /usr/bin/killall -USR1 npos-fwd
        endscript
}

/var/log/npos-iccpd.log {
        su root adm
        postrotate
                /usr/bin/killall -USR1 npos-iccpd
        endscript
}

/var/log/npos-lacpd.log {
        su root adm
        postrotate
                /usr/bin/killall -USR1 npos-lacpd
        endscript
}

/var/log/npos-mstpd.log {
        su root adm
        postrotate
                /usr/bin/killall -USR1 mstpd
                /usr/bin/killall -USR1 mstp_vty
        endscript
}

/var/tmp/quagga/zebra.log {
        su root adm
        postrotate
                /usr/bin/killall -USR1 zebra
        endscript
}

5. To preserve the config after the reboot, save all the configurations to persistent storage.

# writeback /etc/rsyslog.conf
# writeback /etc/rsyslog.d/my_config.conf
# writeback /etc/logrotate.conf
# writeback /etc/logrotate.d/my_config.conf

6. To apply the new configuration, restart rsyslog.

# /etc/init.d/S01logging restart

Configuration Files Location and Use

Back to Top

All the configurations are located in the following files: 

Component File Path Should it be modified by user? Description
rsyslog      /etc/rsyslog.conf Main rsyslog configuration file. Modify this file as needed. By default, this file just includes generated files in /etc/rsyslog.d/generated/ and all /etc/rsyslog.d/*.conf.
To exclude the system-generated configs by default, just comment the lines that include configs.
To preserve this file between the reboots, use writeback
/etc/rsyslog.d/*.conf Add your own configuration files to /etc/rsyslog.d/. Do not forget to include them in /etc/rsyslog.conf or add the extension *.conf (by default, *.conf files are included in /etc/rsyslog.conf).
To preserve this file between the reboots, use writeback.
/etc/rsyslog.d/generated/ Directory for system-generated configurations. It is NOT recommended to edit these files as they may be later overwritten by one of the plugins. If you need to exclude these configs, comment the corresponding lines in /etc/rsyslog.conf
/etc/rsyslog.d/generated/template.conf Template for logs. It always includes ubnt_template. One of the plugins MAY add additional template ubnt_prefix_template in the future, which is needed for sending logs to the remote server with system identification prefix.
/etc/rsyslog.d/generated/local.conf Default config file for local logging. By default, all the logs (except authentication, mail and cron logs) with any severity level are logged to /var/log/messages.
/etc/rsyslog.d/generated/remote.conf Default config file for remote logging. By default, no remote logging is performed.
logrotate   /etc/logrotate.conf General config for logrotate. It is not recommended to touch any option in this file except ‘includes’. By default, this file includes a system-generated rsyslog config /etc/logrotate.d/generated/rsyslog.conf and all /etc/rsyslog.d/*.conf.
To exclude the system-generated configs by default, just comment on the lines that include that config.
/etc/logrotate.d/*.conf Add your configuration files here. By default, all files, which have an extension *.conf and located in /etc/logrotate.d/, are included in /etc/logrotate.conf.
/etc/logrotate.d/generated/rsyslog.conf System-generated config for rotating the files, created by rsyslog. It is NOT recommended to edit this file, as it may be overwritten. To exclude this config, just comment the appropriate line in /etc/logrotate.conf, add your own config file to /etc/logrotate.d/ and include it in /etc/logrotate.conf.
cron /etc/cron.hourly/logrotate By default, cron runs logrotate once an hour, so the actual size of rotated files may be bigger. However, one-hour logrotate interval is enough for most cases.

Related Articles

Back to Top

UniFi - USW-Leaf CLI Command Comparison

UniFi - USW-Leaf: User Accounts

Was this article helpful?
0 out of 0 found this helpful
Can't find what you're looking for?
Visit our worldwide community of Ubiquiti experts for more answers
Visit the Ubiquiti Community