rsyslog - configuration help - logrotate and compression
I want to rotate and separate the routers and switches in a log with a date stamp called 'rslog-YYYY-MM-DD' also the firewalls into a log with a date stamp called 'fwlog-YYYY-MM-DD'
To start, you need to separate your firewall and switches with filtering in rsyslog. Exactly how to do this varies based on the version of rsyslog you are running. They have changed configuration syntax quite a bit over time. My notes below are based on an older release of Rsyslog v3 that ships with Red Hat. You will want to verify this against the documentation for your release.
For a property based filter, it will look something like;
:fromhost-ip,isequal,"192.168.1.1" /var/log/prd/fwlog
&~
:fromhost-ip,isequal,"192.168.1.254" /var/log/prd/rslog
&~
The next part is your desired filename. For that, you will combine filtering with rsyslog's templates to generate dynamic filenames for your logs.
$template Firewall,"/var/log/prd/fwlog-%$YEAR%-%$MONTH%-%$DAY%"
$template Switch,"/var/log/prd/rslog-%$YEAR%-%$MONTH%-%$DAY%"
:fromhost-ip,isequal,"192.168.1.1" -?Firewall
&~
:fromhost-ip,isequal,"192.168.1.254" -?Switch
&~
I want to compress(gzip?) the logs after 48hrs.
The last part, compression, would rely on a daily cron job that compresses files. (Where $date is $today - 2.) The date command already has a built in format for YYYY-MM-DD, so we'll use that. (%F
)
gzip /var/log/prd/*-$(date --date='2 days ago' +%F)
First you should understand a bit more about syslog facility and severity. Those represent the two values you've added as *.*
in your conf.
http://wiki.gentoo.org/wiki/Rsyslog#Facility
http://wiki.gentoo.org/wiki/Rsyslog#Severity
If you can set your sending daemons to use a different facility and/or severity for the routers/switches from the firewall, you should be able to easily create filter rules on your central log server to separate the logs out into different files as you've specified. For example, send routers/switches as local1 and firewall as local2.
Other than those settings, you could also separate out switch logs from firewall logs by filtering on the source IP address. The rsyslog property is called fromhost-ip.
Once you have the inbound rsyslog setup, you'll need to fine tune your logrotate settings. I think both file paths should be on one single line for starters. To compress after two days worth of logs will require some additional effort. See:
https://stackoverflow.com/questions/4495476/logrotate-compression-files-modified-x-number-of-days
You can test with logrotate -f /etc/logrotate.conf /etc/logrotate.d/rsyslog
For more details see:
http://articles.slicehost.com/2010/6/30/understanding-logrotate-on-debian-part-1