rsyslog - configuration help - logrotate and compression

debian-wheezy rsyslog cisco

I want to rotate and separate the routers and switches in a log with a date stamp called 'rslog-YYYY-MM-DD' also the firewalls into a log with a date stamp called 'fwlog-YYYY-MM-DD'

To start, you need to separate your firewall and switches with filtering in rsyslog. Exactly how to do this varies based on the version of rsyslog you are running. They have changed configuration syntax quite a bit over time. My notes below are based on an older release of Rsyslog v3 that ships with Red Hat. You will want to verify this against the documentation for your release.

For a property based filter, it will look something like;

:fromhost-ip,isequal,"192.168.1.1"              /var/log/prd/fwlog
&~
:fromhost-ip,isequal,"192.168.1.254"            /var/log/prd/rslog
&~

The next part is your desired filename. For that, you will combine filtering with rsyslog's templates to generate dynamic filenames for your logs.

$template Firewall,"/var/log/prd/fwlog-%$YEAR%-%$MONTH%-%$DAY%"
$template Switch,"/var/log/prd/rslog-%$YEAR%-%$MONTH%-%$DAY%"

:fromhost-ip,isequal,"192.168.1.1"              -?Firewall
&~
:fromhost-ip,isequal,"192.168.1.254"            -?Switch
&~

I want to compress(gzip?) the logs after 48hrs.

The last part, compression, would rely on a daily cron job that compresses files. (Where $date is $today - 2.) The date command already has a built in format for YYYY-MM-DD, so we'll use that. (%F)

gzip /var/log/prd/*-$(date --date='2 days ago' +%F)

First you should understand a bit more about syslog facility and severity. Those represent the two values you've added as *.* in your conf.

http://wiki.gentoo.org/wiki/Rsyslog#Facility

http://wiki.gentoo.org/wiki/Rsyslog#Severity

If you can set your sending daemons to use a different facility and/or severity for the routers/switches from the firewall, you should be able to easily create filter rules on your central log server to separate the logs out into different files as you've specified. For example, send routers/switches as local1 and firewall as local2.

Other than those settings, you could also separate out switch logs from firewall logs by filtering on the source IP address. The rsyslog property is called fromhost-ip.

Once you have the inbound rsyslog setup, you'll need to fine tune your logrotate settings. I think both file paths should be on one single line for starters. To compress after two days worth of logs will require some additional effort. See:

https://stackoverflow.com/questions/4495476/logrotate-compression-files-modified-x-number-of-days

You can test with logrotate -f /etc/logrotate.conf /etc/logrotate.d/rsyslog

For more details see:

http://articles.slicehost.com/2010/6/30/understanding-logrotate-on-debian-part-1

Related

How efficient is the tac command on large files
Can I run virtualbox 64bit OS in a Azure Virtual Machine?
Shutting down machine while deleting large snapshot
amavis cronjob throwing an error out of nowhere
How to bypass OpenVPN per application
(Why) does FreeBSD 'net.inet.tcp.always_keepalive' violate RFC1122?
Why can't I use inetOrgPerson with groupOfNames?
How to check if chef databag exists?
Double UPS on high load during power down
ASP.NET application on "IIS 8.5" on "Windows Server 2012 R2" performs poorly compared with "IIS 7.5" on a "Windows Server 2008 R2"
How to clear Exchange mail queues using PowerShell for a specific user
Map Network Drive to a WebDAV Server via PowerShell