RSyslog Secure Configuration: Advanced Enterprise Guide#

This comprehensive guide provides detailed instructions for implementing secure, high-performance RSyslog configurations suitable for enterprise environments. Learn advanced logging architectures, security hardening techniques, and best practices for centralized log management with compliance requirements.

Table of Contents#

Understanding RSyslog Security Architecture#

RSyslog Security Fundamentals#

RSyslog provides enterprise-grade logging capabilities with robust security features:

TLS Encryption: Secure log transmission over networks
Authentication: Certificate-based client authentication
Access Control: Fine-grained permissions and filtering
Data Integrity: Message authentication and tampering detection
Performance: High-throughput logging with minimal overhead

Common Security Challenges#

Log Security Threats:

Log Tampering: Malicious modification of log entries
Data Exfiltration: Unauthorized access to sensitive log data
Denial of Service: Log flooding attacks
Man-in-the-Middle: Interception of log transmissions
Privilege Escalation: Exploitation of logging service vulnerabilities

Compliance Requirements:

PCI DSS: Payment card industry data security standards
HIPAA: Healthcare information privacy regulations
SOX: Sarbanes-Oxley financial reporting requirements
GDPR: General Data Protection Regulation compliance
NIST: National Institute of Standards and Technology guidelines

Core RSyslog Security Configuration#

Central Log Server Configuration#

1
# /etc/rsyslog.conf - Secure central log server configuration
2

3
# Global directives for security
4
$PreserveFQDN on
5
$RepeatedMsgReduction on
6
$WorkDirectory /var/spool/rsyslog
7
$IncludeConfig /etc/rsyslog.d/*.conf
8

9
# Memory and performance optimization
10
$MainMsgQueueSize 50000
11
$MainMsgQueueHighWaterMark 40000
12
$MainMsgQueueLowWaterMark 20000
13
$MainMsgQueueTimeoutEnqueue 0
14
$MainMsgQueueType LinkedList
15
$MainMsgQueueSaveOnShutdown on
16
$MainMsgQueueWorkerThreads 4
17
$MainMsgQueueWorkerThreadMinimumMessages 2000
18

19
# TLS/SSL configuration for secure communication
20
$DefaultNetstreamDriver gtls
21
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
22
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/server-cert.pem
23
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/server-key.pem
24

25
# Authentication and encryption settings
26
$InputTCPServerStreamDriverMode 1
27
$InputTCPServerStreamDriverAuthMode x509/name
28
$InputTCPServerStreamDriverPermittedPeer *.example.com
29
$InputTCPServerRun 6514
30

31
# UDP input for local systems (if needed)
32
$ModLoad imudp
33
$UDPServerRun 514
34
$UDPServerAddress 127.0.0.1
35

36
# TCP input for secure remote logging
37
$ModLoad imtcp
38
$InputTCPServerRun 514
39

40
# File ownership and permissions
41
$FileOwner root
42
$FileGroup adm
43
$FileCreateMode 0640
44
$DirCreateMode 0755
45
$Umask 0022
46

47
# Message processing rules with security filtering
48
# Block potentially malicious patterns
49
:msg, contains, "../" stop
50
:msg, contains, "DROP TABLE" stop
51
:msg, regex, ".*[sS][qQ][lL].*[iI][nN][jJ][eE][cC][tT].*" stop
52

53
# Rate limiting to prevent DoS attacks
54
$SystemLogRateLimitInterval 10
55
$SystemLogRateLimitBurst 500
56

57
# Secure file templates with rotation
58
$template SecureLogFormat,"%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
59
$template DailyPerHostLogs,"/var/log/remote/%HOSTNAME%/%$year%-%$month%-%$day%.log"
60

61
# Security event logging
62
auth,authpriv.*                 /var/log/auth.log;SecureLogFormat
63
*.*;auth,authpriv.none          -/var/log/syslog;SecureLogFormat
64
daemon.*                        -/var/log/daemon.log;SecureLogFormat
65
kern.*                          -/var/log/kern.log;SecureLogFormat
66
lpr.*                           -/var/log/lpr.log;SecureLogFormat
67
mail.*                          -/var/log/mail.log;SecureLogFormat
68
user.*                          -/var/log/user.log;SecureLogFormat
69

70
# Remote host logging with security
71
*.*                             ?DailyPerHostLogs;SecureLogFormat
72

73
# Forward critical security events to SIEM
74
auth.crit,authpriv.crit         @@siem.example.com:6514

Advanced TLS Configuration#

1
#!/bin/bash
2
# setup-rsyslog-tls.sh - Configure TLS certificates for RSyslog
3

4
set -euo pipefail
5

6
# Configuration variables
7
CERT_DIR="/etc/ssl/rsyslog"
8
CA_DIR="/etc/ssl/rsyslog/ca"
9
SERVER_NAME="logserver.example.com"
10
CLIENT_NAME="logclient.example.com"
11
ORGANIZATION="Example Organization"
12
COUNTRY="US"
13
STATE="California"
14
CITY="San Francisco"
15

16
# Create certificate directory structure
17
setup_cert_directories() {
18
    echo "Setting up certificate directories..."
19

20
    mkdir -p "$CERT_DIR"
21
    mkdir -p "$CA_DIR"
22
    chmod 700 "$CERT_DIR"
23
    chmod 700 "$CA_DIR"
24

25
    echo "Certificate directories created"
26
}
27

28
# Generate Certificate Authority
29
generate_ca() {
30
    echo "Generating Certificate Authority..."
31

32
    # Generate CA private key
33
    openssl genrsa -out "$CA_DIR/ca-key.pem" 4096
34

35
    # Generate CA certificate
36
    openssl req -new -x509 -days 3650 -key "$CA_DIR/ca-key.pem" \
37
        -out "$CERT_DIR/ca.pem" \
38
        -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=RSyslog-CA"
39

40
    chmod 400 "$CA_DIR/ca-key.pem"
41
    chmod 444 "$CERT_DIR/ca.pem"
42

43
    echo "Certificate Authority generated"
44
}
45

46
# Generate server certificate
47
generate_server_cert() {
48
    echo "Generating server certificate..."
49

50
    # Generate server private key
51
    openssl genrsa -out "$CERT_DIR/server-key.pem" 2048
52

53
    # Generate certificate signing request
54
    openssl req -new -key "$CERT_DIR/server-key.pem" \
55
        -out "$CERT_DIR/server.csr" \
56
        -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$SERVER_NAME"
57

58
    # Create extensions file for server certificate
59
    cat > "$CERT_DIR/server-ext.conf" << EOF
60
basicConstraints = CA:FALSE
61
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
62
subjectAltName = @alt_names
63

64
[alt_names]
65
DNS.1 = $SERVER_NAME
66
DNS.2 = localhost
67
IP.1 = 127.0.0.1
68
EOF
69

70
    # Generate server certificate
71
    openssl x509 -req -in "$CERT_DIR/server.csr" \
72
        -CA "$CERT_DIR/ca.pem" \
73
        -CAkey "$CA_DIR/ca-key.pem" \
74
        -CAcreateserial \
75
        -out "$CERT_DIR/server-cert.pem" \
76
        -days 365 \
77
        -extensions v3_req \
78
        -extfile "$CERT_DIR/server-ext.conf"
79

80
    # Set permissions
81
    chmod 400 "$CERT_DIR/server-key.pem"
82
    chmod 444 "$CERT_DIR/server-cert.pem"
83

84
    # Cleanup
85
    rm "$CERT_DIR/server.csr" "$CERT_DIR/server-ext.conf"
86

87
    echo "Server certificate generated"
88
}
89

90
# Generate client certificate
91
generate_client_cert() {
92
    echo "Generating client certificate..."
93

94
    # Generate client private key
95
    openssl genrsa -out "$CERT_DIR/client-key.pem" 2048
96

97
    # Generate certificate signing request
98
    openssl req -new -key "$CERT_DIR/client-key.pem" \
99
        -out "$CERT_DIR/client.csr" \
100
        -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$CLIENT_NAME"
101

102
    # Generate client certificate
103
    openssl x509 -req -in "$CERT_DIR/client.csr" \
104
        -CA "$CERT_DIR/ca.pem" \
105
        -CAkey "$CA_DIR/ca-key.pem" \
106
        -CAcreateserial \
107
        -out "$CERT_DIR/client-cert.pem" \
108
        -days 365
109

110
    # Set permissions
111
    chmod 400 "$CERT_DIR/client-key.pem"
112
    chmod 444 "$CERT_DIR/client-cert.pem"
113

114
    # Cleanup
115
    rm "$CERT_DIR/client.csr"
116

117
    echo "Client certificate generated"
118
}
119

120
# Verify certificates
121
verify_certificates() {
122
    echo "Verifying certificates..."
123

124
    # Verify server certificate
125
    if openssl verify -CAfile "$CERT_DIR/ca.pem" "$CERT_DIR/server-cert.pem"; then
126
        echo "Server certificate verification: PASSED"
127
    else
128
        echo "Server certificate verification: FAILED" >&2
129
        exit 1
130
    fi
131

132
    # Verify client certificate
133
    if openssl verify -CAfile "$CERT_DIR/ca.pem" "$CERT_DIR/client-cert.pem"; then
134
        echo "Client certificate verification: PASSED"
135
    else
136
        echo "Client certificate verification: FAILED" >&2
137
        exit 1
138
    fi
139

140
    echo "Certificate verification completed"
141
}
142

143
# Set proper ownership
144
set_ownership() {
145
    echo "Setting certificate ownership..."
146

147
    chown -R root:root "$CERT_DIR"
148
    chown -R root:root "$CA_DIR"
149

150
    echo "Certificate ownership configured"
151
}
152

153
# Main execution
154
echo "=== RSyslog TLS Certificate Setup ==="
155
setup_cert_directories
156
generate_ca
157
generate_server_cert
158
generate_client_cert
159
verify_certificates
160
set_ownership
161

162
echo "TLS certificate setup completed successfully!"
163
echo "CA Certificate: $CERT_DIR/ca.pem"
164
echo "Server Certificate: $CERT_DIR/server-cert.pem"
165
echo "Server Key: $CERT_DIR/server-key.pem"
166
echo "Client Certificate: $CERT_DIR/client-cert.pem"
167
echo "Client Key: $CERT_DIR/client-key.pem"

Client Configuration for Secure Logging#

1
# /etc/rsyslog.d/50-secure-client.conf - Secure client configuration
2

3
# Load TLS module
4
$ModLoad imfile
5

6
# Global TLS settings
7
$DefaultNetstreamDriver gtls
8
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
9
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/client-cert.pem
10
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/client-key.pem
11

12
# Action queue configuration for reliability
13
$ActionQueueType LinkedList
14
$ActionQueueFileName secure_forward
15
$ActionResumeRetryCount -1
16
$ActionQueueSaveOnShutdown on
17
$ActionQueueTimeoutEnqueue 0
18
$ActionQueueMaxDiskSpace 500m
19

20
# Forward all logs to central server with TLS
21
$ActionSendStreamDriver gtls
22
$ActionSendStreamDriverMode 1
23
$ActionSendStreamDriverAuthMode x509/name
24
$ActionSendStreamDriverPermittedPeer logserver.example.com
25

26
# Send all logs to secure central server
27
*.*                             @@logserver.example.com:6514
28

29
# Local backup in case of network issues
30
*.*                             /var/log/local-backup.log;SecureLogFormat
31

32
# Rate limiting for local client
33
$SystemLogRateLimitInterval 5
34
$SystemLogRateLimitBurst 200
35

36
# Security event filtering before forwarding
37
# Block sensitive data patterns
38
:msg, contains, "password" stop
39
:msg, contains, "secret" stop
40
:msg, regex, ".*[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}.*" stop  # Credit card patterns
41

42
# High-priority security events with immediate forwarding
43
auth.alert,authpriv.alert       @@logserver.example.com:6514
44
auth.crit,authpriv.crit         @@logserver.example.com:6514
45
auth.emerg,authpriv.emerg       @@logserver.example.com:6514

Advanced Security Features#

Log Integrity and Signing#

1
#!/bin/bash
2
# rsyslog-signing-setup.sh - Configure log signing for integrity
3

4
# Install signing module dependencies
5
install_signing_dependencies() {
6
    echo "Installing log signing dependencies..."
7

8
    # For Debian/Ubuntu
9
    if command -v apt-get >/dev/null 2>&1; then
10
        apt-get update
11
        apt-get install -y rsyslog-gnutls libgt-dev libgnutls28-dev
12
    fi
13

14
    # For RHEL/CentOS
15
    if command -v yum >/dev/null 2>&1; then
16
        yum install -y rsyslog-gnutls guardtime-devel gnutls-devel
17
    fi
18

19
    echo "Dependencies installed"
20
}
21

22
# Configure log signing
23
configure_log_signing() {
24
    echo "Configuring log signing..."
25

26
    # Create signing configuration
27
    cat > /etc/rsyslog.d/10-signing.conf << 'EOF'
28
# Log signature configuration
29

30
# Load signature provider module
31
$ModLoad lmsig_gt
32

33
# Configure signature provider
34
$ActionLmSigGTSignatureProvider gt://guard.com
35

36
# File signature settings
37
$LmSigGTSigner "rsyslog-signer"
38
$LmSigGTHashChainMaxLength 1000
39
$LmSigGTTimestampTimeout 10
40

41
# Template for signed logs
42
$template SignedLogFormat,"%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag%%msg%\n"
43

44
# Sign critical security logs
45
auth.*                          /var/log/auth-signed.log;SignedLogFormat;LmSigGT
46
authpriv.*                      /var/log/authpriv-signed.log;SignedLogFormat;LmSigGT
47
security.*                      /var/log/security-signed.log;SignedLogFormat;LmSigGT
48

49
# Configure signature files
50
$LmSigGTSigFile /var/log/auth-signed.log.gtsig
51
$LmSigGTStateFile /var/log/auth-signed.log.gtstate
52
EOF
53

54
    echo "Log signing configured"
55
}
56

57
# Create signature verification script
58
create_verification_script() {
59
    cat > /usr/local/bin/verify-log-signatures.sh << 'EOF'
60
#!/bin/bash
61
# Log signature verification script
62

63
LOG_DIR="/var/log"
64
VERIFICATION_LOG="/var/log/signature-verification.log"
65

66
verify_signatures() {
67
    local log_file=$1
68
    local sig_file="${log_file}.gtsig"
69
    local state_file="${log_file}.gtstate"
70

71
    if [[ -f "$sig_file" && -f "$state_file" ]]; then
72
        echo "Verifying signatures for: $log_file" | tee -a "$VERIFICATION_LOG"
73

74
        if gtsig verify --sig-file "$sig_file" --log-file "$log_file"; then
75
            echo "  VERIFICATION PASSED: $log_file" | tee -a "$VERIFICATION_LOG"
76
            return 0
77
        else
78
            echo "  VERIFICATION FAILED: $log_file" | tee -a "$VERIFICATION_LOG"
79
            logger -p auth.alert "Log signature verification failed for $log_file"
80
            return 1
81
        fi
82
    else
83
        echo "  SIGNATURE FILES MISSING: $log_file" | tee -a "$VERIFICATION_LOG"
84
        return 1
85
    fi
86
}
87

88
# Main verification loop
89
echo "Starting log signature verification: $(date)" | tee -a "$VERIFICATION_LOG"
90

91
verification_failed=0
92

93
for log_file in "$LOG_DIR"/auth-signed.log "$LOG_DIR"/authpriv-signed.log "$LOG_DIR"/security-signed.log; do
94
    if [[ -f "$log_file" ]]; then
95
        if ! verify_signatures "$log_file"; then
96
            verification_failed=1
97
        fi
98
    fi
99
done
100

101
if [[ $verification_failed -eq 1 ]]; then
102
    echo "One or more signature verifications failed!" | tee -a "$VERIFICATION_LOG"
103
    exit 1
104
else
105
    echo "All signature verifications passed" | tee -a "$VERIFICATION_LOG"
106
    exit 0
107
fi
108
EOF
109

110
    chmod +x /usr/local/bin/verify-log-signatures.sh
111

112
    # Create systemd timer for regular verification
113
    cat > /etc/systemd/system/log-signature-verification.service << EOF
114
[Unit]
115
Description=Log Signature Verification
116
After=rsyslog.service
117

118
[Service]
119
Type=oneshot
120
ExecStart=/usr/local/bin/verify-log-signatures.sh
121
User=root
122
StandardOutput=journal
123
StandardError=journal
124
EOF
125

126
    cat > /etc/systemd/system/log-signature-verification.timer << EOF
127
[Unit]
128
Description=Run log signature verification hourly
129
Requires=log-signature-verification.service
130

131
[Timer]
132
OnCalendar=hourly
133
Persistent=true
134

135
[Install]
136
WantedBy=timers.target
137
EOF
138

139
    systemctl enable log-signature-verification.timer
140
    systemctl start log-signature-verification.timer
141

142
    echo "Signature verification scheduled"
143
}
144

145
# Run setup
146
install_signing_dependencies
147
configure_log_signing
148
create_verification_script
149

150
echo "Log signing setup completed!"

Access Control and Filtering#

1
# /etc/rsyslog.d/30-access-control.conf - Advanced access control
2

3
# Property-based filters for enhanced security
4
$ModLoad mmfields
5

6
# Define custom properties for filtering
7
set $!source_ip = $fromhost-ip;
8
set $!facility_name = $syslogfacility-text;
9
set $!severity_name = $syslogseverity-text;
10

11
# Whitelist trusted source IPs
12
if ($!source_ip == "192.168.1.100") then {
13
    set $!trusted_source = "true";
14
} else if ($!source_ip == "192.168.1.101") then {
15
    set $!trusted_source = "true";
16
} else if ($!source_ip == "10.0.0.0/8") then {
17
    set $!trusted_source = "internal";
18
} else {
19
    set $!trusted_source = "false";
20
}
21

22
# Block untrusted sources for sensitive facilities
23
if ($!trusted_source == "false" and ($!facility_name == "auth" or $!facility_name == "authpriv")) then {
24
    call LogSuspiciousActivity
25
    stop
26
}
27

28
# Rate limiting by source IP
29
$ModLoad imptcp
30
$InputPTCPServerRun 514
31
$InputPTCPServerBindRuleset secure_input
32

33
# Define secure input ruleset
34
$RuleSet secure_input
35

36
# Custom action for suspicious activity logging
37
$template SuspiciousActivityTemplate,"/var/log/security/suspicious-%$year%-%$month%-%$day%.log"
38

39
if ($!trusted_source == "false") then {
40
    action(type="omfile"
41
           dynaFile="SuspiciousActivityTemplate"
42
           template="SecureLogFormat"
43
           fileOwner="root"
44
           fileGroup="root"
45
           fileCreateMode="0600"
46
           dirCreateMode="0700")
47
}
48

49
# Content-based filtering for sensitive data
50
# Remove credit card numbers
51
:msg, regex, "[0-9]{4}[[:space:]-]?[0-9]{4}[[:space:]-]?[0-9]{4}[[:space:]-]?[0-9]{4}" {
52
    set $!original_msg = $msg;
53
    set $.redacted_msg = re_replace($msg, "[0-9]{4}[[:space:]-]?[0-9]{4}[[:space:]-]?[0-9]{4}[[:space:]-]?[0-9]{4}", "****-****-****-****");
54
    set $msg = $.redacted_msg;
55
}
56

57
# Remove Social Security Numbers
58
:msg, regex, "[0-9]{3}-[0-9]{2}-[0-9]{4}" {
59
    set $.redacted_msg = re_replace($msg, "[0-9]{3}-[0-9]{2}-[0-9]{4}", "***-**-****");
60
    set $msg = $.redacted_msg;
61
}
62

63
# Remove email addresses from certain logs
64
if ($programname == "web-app" or $programname == "user-service") then {
65
    set $.redacted_msg = re_replace($msg, "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}", "[EMAIL-REDACTED]");
66
    set $msg = $.redacted_msg;
67
}
68

69
# Priority-based routing
70
if ($!severity_name == "emerg" or $!severity_name == "alert" or $!severity_name == "crit") then {
71
    # Immediate notification for critical events
72
    action(type="ommail"
73
           server="smtp.example.com"
74
           port="587"
75
           mailfrom="rsyslog@example.com"
76
           mailto="security-team@example.com"
77
           subject="CRITICAL: Security Alert from RSyslog"
78
           template="EmailAlertTemplate")
79

80
    # Forward to SIEM immediately
81
    action(type="omfwd"
82
           protocol="tcp"
83
           target="siem.example.com"
84
           port="6514"
85
           StreamDriver="gtls"
86
           StreamDriverMode="1"
87
           StreamDriverAuthMode="x509/name"
88
           StreamDriverPermittedPeers="siem.example.com")
89
}
90

91
# Reset to default ruleset
92
$RuleSet RSYSLOG_DefaultRuleset

High-Availability and Load Balancing#

Multi-Server Configuration#

1
#!/bin/bash
2
# ha-rsyslog-setup.sh - High-availability RSyslog configuration
3

4
# Configuration variables
5
PRIMARY_SERVER="log1.example.com"
6
SECONDARY_SERVER="log2.example.com"
7
VIP="192.168.1.200"
8
KEEPALIVED_PASSWORD="SecurePassword123!"
9

10
# Setup load balancer configuration
11
setup_load_balancer() {
12
    echo "Configuring HAProxy for log load balancing..."
13

14
    # Install HAProxy
15
    if command -v apt-get >/dev/null 2>&1; then
16
        apt-get update && apt-get install -y haproxy keepalived
17
    elif command -v yum >/dev/null 2>&1; then
18
        yum install -y haproxy keepalived
19
    fi
20

21
    # Configure HAProxy for RSyslog
22
    cat > /etc/haproxy/haproxy.cfg << EOF
23
global
24
    daemon
25
    user haproxy
26
    group haproxy
27
    log 127.0.0.1:514 local0
28
    chroot /var/lib/haproxy
29
    stats socket /var/lib/haproxy/stats
30
    tune.ssl.default-dh-param 2048
31

32
defaults
33
    mode tcp
34
    log global
35
    option tcplog
36
    option dontlognull
37
    retries 3
38
    timeout connect 5000ms
39
    timeout client 50000ms
40
    timeout server 50000ms
41

42
# RSyslog load balancing
43
frontend rsyslog_frontend
44
    bind *:514
45
    bind *:6514 ssl crt /etc/ssl/rsyslog/server-combined.pem ca-file /etc/ssl/rsyslog/ca.pem verify required
46
    default_backend rsyslog_servers
47

48
backend rsyslog_servers
49
    balance roundrobin
50
    option tcp-check
51
    tcp-check connect port 514
52
    server log1 $PRIMARY_SERVER:514 check
53
    server log2 $SECONDARY_SERVER:514 check backup
54

55
# Statistics interface
56
frontend stats
57
    bind *:8404
58
    stats enable
59
    stats uri /stats
60
    stats refresh 30s
61
    stats admin if TRUE
62
EOF
63

64
    # Configure Keepalived for VIP management
65
    cat > /etc/keepalived/keepalived.conf << EOF
66
vrrp_script chk_haproxy {
67
    script "/bin/kill -0 \`cat /var/run/haproxy.pid\`"
68
    interval 2
69
    weight 2
70
    fall 3
71
    rise 2
72
}
73

74
vrrp_instance VI_1 {
75
    state MASTER
76
    interface eth0
77
    virtual_router_id 51
78
    priority 110
79
    advert_int 1
80
    authentication {
81
        auth_type PASS
82
        auth_pass $KEEPALIVED_PASSWORD
83
    }
84
    virtual_ipaddress {
85
        $VIP
86
    }
87
    track_script {
88
        chk_haproxy
89
    }
90
}
91
EOF
92

93
    systemctl enable haproxy keepalived
94
    systemctl start haproxy keepalived
95

96
    echo "Load balancer configured"
97
}
98

99
# Configure primary log server
100
configure_primary_server() {
101
    echo "Configuring primary log server..."
102

103
    cat > /etc/rsyslog.d/10-ha-primary.conf << 'EOF'
104
# Primary server configuration with replication
105

106
# Load database module for log storage
107
$ModLoad ommysql
108

109
# Database connection for log storage
110
$template MySQLInsertTemplate,"INSERT INTO rsyslog (datetime, hostname, facility, priority, tag, message) VALUES ('%timegenerated:::date-mysql%', '%hostname%', '%syslogfacility%', '%syslogpriority%', '%syslogtag%', '%msg%')"
111

112
# Store all logs in MySQL database
113
*.*     :ommysql:localhost,rsyslog_db,rsyslog_user,rsyslog_password;MySQLInsertTemplate
114

115
# Replicate to secondary server
116
$ModLoad omfwd
117
*.*     @@log2.example.com:6514
118

119
# Local file backup
120
*.*     /var/log/primary-backup.log;SecureLogFormat
121

122
# Health check endpoint
123
$ModLoad imhttp
124
$HTTPServerDocumentRoot /var/www/rsyslog-health
125
$HTTPServerPort 8080
126

127
# Create health check document
128
$template HealthCheckTemplate,"/var/www/rsyslog-health/health.json"
129
$template HealthCheckContent,'{"status":"healthy","timestamp":"%timegenerated:::date-rfc3339%","server":"primary"}'
130

131
local0.info     ?HealthCheckTemplate;HealthCheckContent
132
EOF
133

134
    echo "Primary server configured"
135
}
136

137
# Configure secondary log server
138
configure_secondary_server() {
139
    echo "Configuring secondary log server..."
140

141
    cat > /etc/rsyslog.d/10-ha-secondary.conf << 'EOF'
142
# Secondary server configuration (backup)
143

144
# Database replication for secondary server
145
$ModLoad ommysql
146
$template MySQLInsertTemplate,"INSERT INTO rsyslog (datetime, hostname, facility, priority, tag, message) VALUES ('%timegenerated:::date-mysql%', '%hostname%', '%syslogfacility%', '%syslogpriority%', '%syslogtag%', '%msg%')"
147

148
# Store all logs in MySQL database (replica)
149
*.*     :ommysql:localhost,rsyslog_db,rsyslog_user,rsyslog_password;MySQLInsertTemplate
150

151
# Local file backup
152
*.*     /var/log/secondary-backup.log;SecureLogFormat
153

154
# Health check endpoint
155
$ModLoad imhttp
156
$HTTPServerDocumentRoot /var/www/rsyslog-health
157
$HTTPServerPort 8080
158

159
$template HealthCheckTemplate,"/var/www/rsyslog-health/health.json"
160
$template HealthCheckContent,'{"status":"healthy","timestamp":"%timegenerated:::date-rfc3339%","server":"secondary"}'
161

162
local0.info     ?HealthCheckTemplate;HealthCheckContent
163
EOF
164

165
    echo "Secondary server configured"
166
}
167

168
# Setup database replication
169
setup_database_replication() {
170
    echo "Setting up MySQL database replication..."
171

172
    # Create database schema
173
    mysql -u root -p << 'EOF'
174
CREATE DATABASE IF NOT EXISTS rsyslog_db;
175
USE rsyslog_db;
176

177
CREATE TABLE IF NOT EXISTS rsyslog (
178
    id INT AUTO_INCREMENT PRIMARY KEY,
179
    datetime DATETIME,
180
    hostname VARCHAR(255),
181
    facility INT,
182
    priority INT,
183
    tag VARCHAR(255),
184
    message TEXT,
185
    INDEX idx_datetime (datetime),
186
    INDEX idx_hostname (hostname),
187
    INDEX idx_facility (facility),
188
    INDEX idx_priority (priority)
189
);
190

191
CREATE USER IF NOT EXISTS 'rsyslog_user'@'localhost' IDENTIFIED BY 'rsyslog_password';
192
GRANT INSERT, SELECT ON rsyslog_db.* TO 'rsyslog_user'@'localhost';
193
FLUSH PRIVILEGES;
194
EOF
195

196
    echo "Database setup completed"
197
}
198

199
# Create monitoring script
200
create_monitoring_script() {
201
    cat > /usr/local/bin/rsyslog-ha-monitor.sh << 'EOF'
202
#!/bin/bash
203
# RSyslog HA monitoring script
204

205
LOGFILE="/var/log/rsyslog-ha-monitor.log"
206
PRIMARY_SERVER="log1.example.com"
207
SECONDARY_SERVER="log2.example.com"
208
VIP="192.168.1.200"
209

210
check_server_health() {
211
    local server=$1
212
    local port=$2
213

214
    if timeout 5 bash -c "</dev/tcp/$server/$port"; then
215
        return 0
216
    else
217
        return 1
218
    fi
219
}
220

221
check_database_health() {
222
    local server=$1
223

224
    if mysql -h "$server" -u rsyslog_user -prsyslog_password -e "SELECT 1;" >/dev/null 2>&1; then
225
        return 0
226
    else
227
        return 1
228
    fi
229
}
230

231
monitor_ha_status() {
232
    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
233

234
    # Check primary server
235
    if check_server_health "$PRIMARY_SERVER" 514; then
236
        primary_status="UP"
237
    else
238
        primary_status="DOWN"
239
        echo "[$timestamp] ALERT: Primary server $PRIMARY_SERVER is DOWN" | tee -a "$LOGFILE"
240
        logger -p local0.alert "RSyslog HA: Primary server $PRIMARY_SERVER is DOWN"
241
    fi
242

243
    # Check secondary server
244
    if check_server_health "$SECONDARY_SERVER" 514; then
245
        secondary_status="UP"
246
    else
247
        secondary_status="DOWN"
248
        echo "[$timestamp] ALERT: Secondary server $SECONDARY_SERVER is DOWN" | tee -a "$LOGFILE"
249
        logger -p local0.alert "RSyslog HA: Secondary server $SECONDARY_SERVER is DOWN"
250
    fi
251

252
    # Check VIP status
253
    if check_server_health "$VIP" 514; then
254
        vip_status="UP"
255
    else
256
        vip_status="DOWN"
257
        echo "[$timestamp] ALERT: VIP $VIP is DOWN" | tee -a "$LOGFILE"
258
        logger -p local0.alert "RSyslog HA: VIP $VIP is DOWN"
259
    fi
260

261
    echo "[$timestamp] Status - Primary: $primary_status, Secondary: $secondary_status, VIP: $vip_status" | tee -a "$LOGFILE"
262
}
263

264
# Main monitoring loop
265
while true; do
266
    monitor_ha_status
267
    sleep 60
268
done
269
EOF
270

271
    chmod +x /usr/local/bin/rsyslog-ha-monitor.sh
272

273
    # Create systemd service for monitoring
274
    cat > /etc/systemd/system/rsyslog-ha-monitor.service << EOF
275
[Unit]
276
Description=RSyslog HA Monitor
277
After=network.target
278

279
[Service]
280
Type=simple
281
ExecStart=/usr/local/bin/rsyslog-ha-monitor.sh
282
Restart=always
283
RestartSec=10
284
User=root
285

286
[Install]
287
WantedBy=multi-user.target
288
EOF
289

290
    systemctl enable rsyslog-ha-monitor.service
291
    systemctl start rsyslog-ha-monitor.service
292

293
    echo "HA monitoring configured"
294
}
295

296
# Main execution
297
echo "=== RSyslog High-Availability Setup ==="
298

299
read -p "Configure this server as [primary/secondary/loadbalancer]: " server_role
300

301
case $server_role in
302
    "primary")
303
        configure_primary_server
304
        setup_database_replication
305
        ;;
306
    "secondary")
307
        configure_secondary_server
308
        ;;
309
    "loadbalancer")
310
        setup_load_balancer
311
        ;;
312
    *)
313
        echo "Invalid role. Choose primary, secondary, or loadbalancer"
314
        exit 1
315
        ;;
316
esac
317

318
create_monitoring_script
319

320
echo "RSyslog HA setup completed for role: $server_role"

Performance Optimization and Monitoring#

Performance Tuning Configuration#

1
# /etc/rsyslog.d/20-performance.conf - Performance optimization
2

3
# Global performance settings
4
$MaxMessageSize 8192
5
$PreserveFQDN on
6
$RepeatedMsgReduction on
7

8
# Main message queue optimization
9
$MainMsgQueueSize 100000
10
$MainMsgQueueHighWaterMark 80000
11
$MainMsgQueueLowWaterMark 20000
12
$MainMsgQueueTimeoutEnqueue 0
13
$MainMsgQueueType LinkedList
14
$MainMsgQueueSaveOnShutdown on
15
$MainMsgQueueWorkerThreads 8
16
$MainMsgQueueWorkerThreadMinimumMessages 1000
17
$MainMsgQueueMaxFileSize 100m
18
$MainMsgQueueMaxDiskSpace 2g
19

20
# Action queue optimization for forwarding
21
$ActionQueueType LinkedList
22
$ActionQueueSize 50000
23
$ActionQueueHighWaterMark 40000
24
$ActionQueueLowWaterMark 10000
25
$ActionQueueTimeoutEnqueue 0
26
$ActionQueueWorkerThreads 4
27
$ActionQueueWorkerThreadMinimumMessages 500
28
$ActionQueueMaxFileSize 50m
29
$ActionQueueMaxDiskSpace 1g
30
$ActionResumeRetryCount -1
31
$ActionQueueSaveOnShutdown on
32

33
# File I/O optimization
34
$OMFileFlushInterval 10
35
$OMFileIOBufferSize 64k
36
$OMFileFlushOnTXEnd off
37

38
# Network optimization
39
$UDPServerTimeRequery 60
40
$InputTCPMaxSessions 500
41
$InputTCPFlowControl on
42

43
# Template for high-performance logging
44
$template HighPerfTemplate,"%timegenerated:1:19:date-rfc3339% %hostname% %syslogtag%%msg%\n"
45

46
# Asynchronous file writing for high-throughput logs
47
$OMFileAsyncWriting on
48
*.*     -/var/log/high-performance.log;HighPerfTemplate

Comprehensive Monitoring Dashboard#

1
#!/usr/bin/env python3
2
# rsyslog-dashboard.py - Real-time RSyslog monitoring dashboard
3

4
import json
5
import time
6
import subprocess
7
import sqlite3
8
import os
9
from datetime import datetime, timedelta
10
from collections import defaultdict
11
import argparse
12

13
class RSyslogMonitor:
14
    def __init__(self, db_path="/var/log/rsyslog-monitor.db"):
15
        self.db_path = db_path
16
        self.init_database()
17

18
    def init_database(self):
19
        """Initialize SQLite database for monitoring data"""
20
        conn = sqlite3.connect(self.db_path)
21
        cursor = conn.cursor()
22

23
        cursor.execute('''
24
            CREATE TABLE IF NOT EXISTS metrics (
25
                id INTEGER PRIMARY KEY AUTOINCREMENT,
26
                timestamp DATETIME DEFAULT CURRENT_TIMESTAMP,
27
                metric_name TEXT,
28
                metric_value REAL,
29
                hostname TEXT
30
            )
31
        ''')
32

33
        cursor.execute('''
34
            CREATE TABLE IF NOT EXISTS alerts (
35
                id INTEGER PRIMARY KEY AUTOINCREMENT,
36
                timestamp DATETIME DEFAULT CURRENT_TIMESTAMP,
37
                alert_type TEXT,
38
                message TEXT,
39
                severity TEXT,
40
                acknowledged BOOLEAN DEFAULT FALSE
41
            )
42
        ''')
43

44
        conn.commit()
45
        conn.close()
46

47
    def collect_rsyslog_stats(self):
48
        """Collect RSyslog statistics"""
49
        stats = {}
50

51
        try:
52
            # Get rsyslog process information
53
            result = subprocess.run(['pgrep', '-f', 'rsyslogd'],
54
                                  capture_output=True, text=True)
55
            if result.returncode == 0:
56
                pid = result.stdout.strip().split('\n')[0]
57

58
                # Memory usage
59
                with open(f'/proc/{pid}/status', 'r') as f:
60
                    for line in f:
61
                        if line.startswith('VmRSS:'):
62
                            memory_kb = int(line.split()[1])
63
                            stats['memory_usage_mb'] = memory_kb / 1024
64
                            break
65

66
                # CPU usage
67
                result = subprocess.run(['ps', '-p', pid, '-o', 'pcpu='],
68
                                      capture_output=True, text=True)
69
                if result.returncode == 0:
70
                    stats['cpu_usage_percent'] = float(result.stdout.strip())
71

72
                # File descriptor count
73
                fd_dir = f'/proc/{pid}/fd'
74
                if os.path.exists(fd_dir):
75
                    stats['open_file_descriptors'] = len(os.listdir(fd_dir))
76

77
            # Log file sizes
78
            log_files = [
79
                '/var/log/syslog',
80
                '/var/log/auth.log',
81
                '/var/log/daemon.log',
82
                '/var/log/kern.log'
83
            ]
84

85
            total_log_size = 0
86
            for log_file in log_files:
87
                if os.path.exists(log_file):
88
                    size = os.path.getsize(log_file)
89
                    total_log_size += size
90
                    stats[f'{os.path.basename(log_file)}_size_mb'] = size / (1024 * 1024)
91

92
            stats['total_log_size_mb'] = total_log_size / (1024 * 1024)
93

94
            # Network connections
95
            result = subprocess.run(['netstat', '-tn'], capture_output=True, text=True)
96
            if result.returncode == 0:
97
                connections = result.stdout.split('\n')
98
                rsyslog_connections = [line for line in connections if ':514' in line]
99
                stats['active_connections'] = len(rsyslog_connections)
100

101
            # Disk space
102
            result = subprocess.run(['df', '/var/log'], capture_output=True, text=True)
103
            if result.returncode == 0:
104
                lines = result.stdout.strip().split('\n')
105
                if len(lines) > 1:
106
                    fields = lines[1].split()
107
                    used_percent = int(fields[4].rstrip('%'))
108
                    stats['disk_usage_percent'] = used_percent
109

110
        except Exception as e:
111
            print(f"Error collecting stats: {e}")
112

113
        return stats
114

115
    def store_metrics(self, metrics):
116
        """Store metrics in database"""
117
        conn = sqlite3.connect(self.db_path)
118
        cursor = conn.cursor()
119

120
        hostname = subprocess.run(['hostname'], capture_output=True, text=True).stdout.strip()
121

122
        for metric_name, value in metrics.items():
123
            cursor.execute(
124
                'INSERT INTO metrics (metric_name, metric_value, hostname) VALUES (?, ?, ?)',
125
                (metric_name, value, hostname)
126
            )
127

128
        conn.commit()
129
        conn.close()
130

131
    def check_alerts(self, metrics):
132
        """Check for alert conditions"""
133
        alerts = []
134

135
        # Memory usage alert
136
        if metrics.get('memory_usage_mb', 0) > 1024:  # 1GB
137
            alerts.append({
138
                'type': 'high_memory_usage',
139
                'message': f"High memory usage: {metrics['memory_usage_mb']:.1f}MB",
140
                'severity': 'warning'
141
            })
142

143
        # CPU usage alert
144
        if metrics.get('cpu_usage_percent', 0) > 80:
145
            alerts.append({
146
                'type': 'high_cpu_usage',
147
                'message': f"High CPU usage: {metrics['cpu_usage_percent']:.1f}%",
148
                'severity': 'warning'
149
            })
150

151
        # Disk space alert
152
        if metrics.get('disk_usage_percent', 0) > 90:
153
            alerts.append({
154
                'type': 'high_disk_usage',
155
                'message': f"High disk usage: {metrics['disk_usage_percent']}%",
156
                'severity': 'critical'
157
            })
158

159
        # Log file size alert
160
        if metrics.get('total_log_size_mb', 0) > 10240:  # 10GB
161
            alerts.append({
162
                'type': 'large_log_files',
163
                'message': f"Large log files: {metrics['total_log_size_mb']:.1f}MB",
164
                'severity': 'warning'
165
            })
166

167
        # Store alerts
168
        if alerts:
169
            conn = sqlite3.connect(self.db_path)
170
            cursor = conn.cursor()
171

172
            for alert in alerts:
173
                cursor.execute(
174
                    'INSERT INTO alerts (alert_type, message, severity) VALUES (?, ?, ?)',
175
                    (alert['type'], alert['message'], alert['severity'])
176
                )
177

178
            conn.commit()
179
            conn.close()
180

181
        return alerts
182

183
    def generate_report(self, hours=24):
184
        """Generate monitoring report"""
185
        conn = sqlite3.connect(self.db_path)
186
        cursor = conn.cursor()
187

188
        # Get recent metrics
189
        since_time = datetime.now() - timedelta(hours=hours)
190
        cursor.execute('''
191
            SELECT metric_name, AVG(metric_value) as avg_value,
192
                   MAX(metric_value) as max_value, MIN(metric_value) as min_value
193
            FROM metrics
194
            WHERE timestamp > ?
195
            GROUP BY metric_name
196
        ''', (since_time,))
197

198
        metrics_summary = cursor.fetchall()
199

200
        # Get recent alerts
201
        cursor.execute('''
202
            SELECT alert_type, COUNT(*) as count, severity
203
            FROM alerts
204
            WHERE timestamp > ?
205
            GROUP BY alert_type, severity
206
        ''', (since_time,))
207

208
        alerts_summary = cursor.fetchall()
209

210
        conn.close()
211

212
        # Generate report
213
        report = {
214
            'timestamp': datetime.now().isoformat(),
215
            'period_hours': hours,
216
            'metrics_summary': {
217
                row[0]: {
218
                    'average': row[1],
219
                    'maximum': row[2],
220
                    'minimum': row[3]
221
                } for row in metrics_summary
222
            },
223
            'alerts_summary': {
224
                f"{row[0]}_{row[2]}": row[1] for row in alerts_summary
225
            }
226
        }
227

228
        return report
229

230
    def run_monitoring(self, interval=60):
231
        """Run continuous monitoring"""
232
        print(f"Starting RSyslog monitoring (interval: {interval}s)")
233

234
        while True:
235
            try:
236
                # Collect metrics
237
                metrics = self.collect_rsyslog_stats()
238
                print(f"[{datetime.now()}] Collected {len(metrics)} metrics")
239

240
                # Store metrics
241
                self.store_metrics(metrics)
242

243
                # Check for alerts
244
                alerts = self.check_alerts(metrics)
245
                if alerts:
246
                    print(f"Generated {len(alerts)} alerts")
247
                    for alert in alerts:
248
                        print(f"  {alert['severity'].upper()}: {alert['message']}")
249

250
                time.sleep(interval)
251

252
            except KeyboardInterrupt:
253
                print("\nMonitoring stopped")
254
                break
255
            except Exception as e:
256
                print(f"Error in monitoring loop: {e}")
257
                time.sleep(interval)
258

259
def main():
260
    parser = argparse.ArgumentParser(description='RSyslog Monitoring Dashboard')
261
    parser.add_argument('--interval', type=int, default=60,
262
                      help='Monitoring interval in seconds (default: 60)')
263
    parser.add_argument('--report', action='store_true',
264
                      help='Generate and display report')
265
    parser.add_argument('--hours', type=int, default=24,
266
                      help='Report period in hours (default: 24)')
267

268
    args = parser.parse_args()
269

270
    monitor = RSyslogMonitor()
271

272
    if args.report:
273
        report = monitor.generate_report(args.hours)
274
        print(json.dumps(report, indent=2))
275
    else:
276
        monitor.run_monitoring(args.interval)
277

278
if __name__ == '__main__':
279
    main()

Best Practices and Recommendations#

Security Hardening Checklist#

Encryption: Always use TLS for log transmission
Authentication: Implement certificate-based client authentication
Access Control: Restrict log server access to authorized clients only
Data Integrity: Use log signing for critical security logs
Monitoring: Implement comprehensive monitoring and alerting
Backup: Regular backups of log data and configurations
Retention: Implement appropriate log retention policies
Compliance: Ensure configuration meets regulatory requirements

Troubleshooting Common Issues#

1
#!/bin/bash
2
# rsyslog-troubleshooting.sh - Diagnostic and troubleshooting tools
3

4
# Function to check RSyslog configuration
5
check_configuration() {
6
    echo "=== RSyslog Configuration Check ==="
7

8
    # Test configuration syntax
9
    if rsyslogd -N1; then
10
        echo "✓ Configuration syntax is valid"
11
    else
12
        echo "✗ Configuration syntax errors found"
13
        return 1
14
    fi
15

16
    # Check for common configuration issues
17
    if grep -q "ModLoad.*imudp" /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null; then
18
        echo "✓ UDP input module loaded"
19
    else
20
        echo "⚠ UDP input module not loaded"
21
    fi
22

23
    if grep -q "ModLoad.*imtcp" /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null; then
24
        echo "✓ TCP input module loaded"
25
    else
26
        echo "⚠ TCP input module not loaded"
27
    fi
28
}
29

30
# Function to check network connectivity
31
check_network() {
32
    echo "=== Network Connectivity Check ==="
33

34
    # Check if RSyslog is listening on expected ports
35
    if netstat -tlnp | grep -q ":514.*rsyslogd"; then
36
        echo "✓ RSyslog listening on TCP port 514"
37
    else
38
        echo "⚠ RSyslog not listening on TCP port 514"
39
    fi
40

41
    if netstat -ulnp | grep -q ":514.*rsyslogd"; then
42
        echo "✓ RSyslog listening on UDP port 514"
43
    else
44
        echo "⚠ RSyslog not listening on UDP port 514"
45
    fi
46

47
    # Check TLS port
48
    if netstat -tlnp | grep -q ":6514.*rsyslogd"; then
49
        echo "✓ RSyslog listening on TLS port 6514"
50
    else
51
        echo "⚠ RSyslog not listening on TLS port 6514"
52
    fi
53
}
54

55
# Function to check certificates
56
check_certificates() {
57
    echo "=== Certificate Check ==="
58

59
    local cert_dir="/etc/ssl/rsyslog"
60

61
    if [[ -f "$cert_dir/ca.pem" ]]; then
62
        if openssl x509 -in "$cert_dir/ca.pem" -noout -checkend 86400; then
63
            echo "✓ CA certificate is valid and not expiring soon"
64
        else
65
            echo "⚠ CA certificate is invalid or expiring within 24 hours"
66
        fi
67
    else
68
        echo "⚠ CA certificate not found"
69
    fi
70

71
    if [[ -f "$cert_dir/server-cert.pem" ]]; then
72
        if openssl x509 -in "$cert_dir/server-cert.pem" -noout -checkend 86400; then
73
            echo "✓ Server certificate is valid and not expiring soon"
74
        else
75
            echo "⚠ Server certificate is invalid or expiring within 24 hours"
76
        fi
77
    else
78
        echo "⚠ Server certificate not found"
79
    fi
80
}
81

82
# Function to check log file permissions
83
check_permissions() {
84
    echo "=== File Permissions Check ==="
85

86
    local log_dirs=("/var/log" "/var/spool/rsyslog")
87

88
    for dir in "${log_dirs[@]}"; do
89
        if [[ -d "$dir" ]]; then
90
            local perms=$(stat -c "%a" "$dir")
91
            if [[ "$perms" =~ ^[67][0-7][0-7]$ ]]; then
92
                echo "✓ $dir permissions are secure ($perms)"
93
            else
94
                echo "⚠ $dir permissions may be too restrictive or permissive ($perms)"
95
            fi
96
        else
97
            echo "⚠ Directory $dir does not exist"
98
        fi
99
    done
100
}
101

102
# Function to check disk space
103
check_disk_space() {
104
    echo "=== Disk Space Check ==="
105

106
    local usage=$(df /var/log | tail -1 | awk '{print $5}' | sed 's/%//')
107

108
    if [[ $usage -lt 80 ]]; then
109
        echo "✓ Disk space usage is acceptable ($usage%)"
110
    elif [[ $usage -lt 90 ]]; then
111
        echo "⚠ Disk space usage is high ($usage%)"
112
    else
113
        echo "✗ Disk space usage is critical ($usage%)"
114
    fi
115
}
116

117
# Function to analyze log patterns
118
analyze_logs() {
119
    echo "=== Log Analysis ==="
120

121
    # Check for recent errors
122
    local errors=$(journalctl -u rsyslog --since "1 hour ago" --no-pager | grep -i error | wc -l)
123
    echo "Recent RSyslog errors: $errors"
124

125
    # Check message rates
126
    local current_hour=$(date +%H)
127
    local messages=$(grep "$(date '+%b %d %H')" /var/log/syslog 2>/dev/null | wc -l)
128
    echo "Messages in current hour: $messages"
129

130
    # Check for dropped messages
131
    if journalctl -u rsyslog --since "1 hour ago" --no-pager | grep -q "dropped"; then
132
        echo "⚠ Dropped messages detected in recent logs"
133
    else
134
        echo "✓ No dropped messages in recent logs"
135
    fi
136
}
137

138
# Run all checks
139
echo "RSyslog Troubleshooting Tool"
140
echo "============================"
141

142
check_configuration
143
check_network
144
check_certificates
145
check_permissions
146
check_disk_space
147
analyze_logs
148

149
echo ""
150
echo "Troubleshooting completed. Review any warnings or errors above."

Conclusion#

Implementing secure RSyslog configurations requires careful attention to encryption, authentication, access control, and monitoring. Key recommendations:

Always Use TLS: Encrypt all log transmissions
Certificate Management: Implement proper certificate lifecycle management
Access Control: Restrict access to authorized clients only
Monitoring: Implement comprehensive health and security monitoring
High Availability: Design for resilience and redundancy
Regular Testing: Continuously validate configuration and security posture

By following the configurations and best practices outlined in this guide, you can build a robust, secure logging infrastructure that meets enterprise security and compliance requirements while maintaining high performance and reliability.