search
Home

Syslog

hashtag
Requires FW:6761+

In large server deployments using remote syslogd where syslog entries are written over UDP is quite helpful. This allows a central server to monitor a fleet of servers by receiving all log entries over the network. This is a standard linux feature set. FMADIO Packet Capture devices support this feature, as follows:

Copy the default syslogd.conf to /opt/fmadio/etc/

sudo cp /etc/syslogd.conf /opt/fmadio/etc/

Then edit the file as follows, replacing the destination IP with configuration specific to your environment

# rsyslog configuration file (fmadio default)

#### MODULES ####

module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog")   # provides kernel logging support (previously done by rklogd)
module(load="immark")  # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see https://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see https://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")


#### GLOBAL DIRECTIVES ####

template(name="facility_priority" type="list") {
        property(name="syslogfacility-text")
        constant(value=".")
        property(name="syslogpriority-text")
}
set $!facility_priority = exec_template("facility_priority");


template(name="syslog_fmadio" type="list") {
        property(name="timereported" dateFormat="year")
        constant(value=".")
        property(name="timereported" dateFormat="month")
        constant(value=".")
        property(name="timereported" dateFormat="day")
        constant(value="-")
        property(name="timereported" dateFormat="hour")
        constant(value=":")
        property(name="timereported" dateFormat="minute")
        constant(value=":")
        property(name="timereported" dateFormat="second")
        constant(value=".")
        property(name="timereported" dateFormat="subseconds")
        constant(value=" ")
        constant(value="(")
        property(name="timereported" dateFormat="tzoffsdirection")
        property(name="timereported" dateFormat="tzoffshour")
        constant(value=":")
        property(name="timereported" dateFormat="tzoffsmin")
        constant(value=") | ")
        property(name="hostname")
        constant(value=" | ")

        property(name="$!facility_priority" position.to="16" fixedwidth="on")
        constant(value="| ")

        property(name="programname" position.to="10" fixedwidth="on")
        constant(value="|")
        property(name="msg" spifno1stsp="on")
        property(name="msg" droplastlf="on")
        constant(value="\n")
}

# Use default timestamp format
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate syslog_fmadio

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
#$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.err                                                /dev/console

# log everything to disk
*.*                                                     /mnt/store0/log/messages

# remote host is TCP: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@192.168.1.100:514

In the above example all syslog log entries are also written to a server at 192.168.1.100 over TCP on port 514.

For UDP on port 514 use the following setting

Its the standard syslogd from inted package additional customization can be done if required. Example syslog output as follows

PreviousForward Error Correction Support (FEC)NextAutomatic Push PCAP

Last updated

Was this helpful?