rsyslog is an application that allows for local logs on the RP to be sent to another host for log consolidation. Below is a procedure that I have used to send logs from a Pexip RP to a remote syslog destination.
The following logs are what I am send to the remote destination. You can add more if you wish:
- /var/log/nginx/*access.log
- /var/log/nginx/*error.log
- /var/log/fail2ban.log
- /var/log/syslog
Steps:
Edit the /etc/rsyslog.conf file:
sudo nano /etc/rsyslog.conf
In the MODULES section, add $ModLoad imfile
################# #### MODULES #### ################# $ModLoad imfile
Now save the file ( CTRL + x then yes )
Create an rsyslog config file for Nginx and fail2ban:
sudo nano /etc/rsyslog.d/pexlog.conf
Paste in the below, be sure to add the IP address or FQDN of you external syslog server where it says <remote-ip>
# destination syslog server *.* @<remote-ip>:514 # nginx error log $InputFileName /var/log/nginx/*error.log $InputFileTag nginx: $InputFileStateFile stat-nginx-error $InputFileSeverity error $InputFileFaility local6 $InputFilePollInterval 1 $InputRunFileMonitor # nginx access log $InputFileName /var/log/nginx/*access.log $InputFileTag nginx: $InputFileStateFile stat-nginx-access $InputFileSeverity notice $InputFileFaility local6 $InputFilePollInterval 1 $InputRunFileMonitor # fail2ban log $InputFileName /var/log/fail2ban.log $InputFileTag fail2ban: $InputFileStateFile fail2ban $InputFileSeverity notice $InputFileFaility local6 $InputFilePollInterval 1 $InputRunFileMonitor
Note:
@<remote-ip>:514 will send to port 514 UDP
@@<remote-ip>:514 will send to port 514 TCP
Now restart rsyslog:
sudo service rsyslog restart
Now you are done.
Dennis Lorist 