Metalog

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it (how to get started).

Metalog is a alternative syslog daemon. Metalog is simple to configure, accepts unlimited number of rules and has (switchable) memory bufferization for maximal performance.

Installation

USE flags

USE flags for app-admin/metalog A highly configurable replacement for syslogd/klogd

unicode Add support for Unicode

Emerge

Install app-admin/metalog:

root #emerge --ask app-admin/metalog
Warning
It is a bad idea to run more than one system logger on a physical host. Other local loggers should be removed or disabled.

Configuration

Metalog documentation:

[...]
A configuration file should be installed. Its default location is
/etc/metalog.conf (unless you tweaked --with-sysconfdir) . You can find a
sample file in this directory, but it's certainly not perfect for your system
and your needs. So read on.
[...]

Files

  • /etc/conf.d/metalog - Gentoo's config file for /etc/init.d/metalog daemon. See man metalog for running options.
  • /etc/metalog.conf - Global (system wide) configuration file. See metalog.conf(5) for more information

Service

OpenRC

Add the metalog daemon to the default runlevel so that logging starts on system boot:

root #rc-update add metalog default

Start metalog by running:

root #rc-service metalog start

Verify /var/log/everything/current for recent syslog entries:

root #tail -f /var/log/everything/current

runit

systemd

Local logging

Shortest catchall one file logging example. Verify the logfile definitions at the beginning:

  • logfile maximal filesize maxsize
  • logfile rotation frequencymaxtime f.e. daily, weekly,
  • logfile maximal count of files within logging directory maxfiles
FILE /etc/metalog.confMost simple metalog confguration example.
# Most simple Metalog configuration file:
maxsize  = 1048576  # size in bytes (1048576 = 1 megabyte)
maxtime  = 86400    # time in seconds (86400 = 1 day)
maxfiles = 5        # num files per directory

Everything important :

    facility = "*"
    minimum  = 7
    logdir   = "/var/log/everything"

Remote logging

Server

Using app-admin/metalog-20220214 version:

Note
No option to run metalog server listening for incoming syslog messages from sending clients.

Client

To enable sending syslog messages to remote syslog server add following entries to the /etc/metalog configuration file:

remote_host=192.0.2.1
remote_port=514

This rule sends all messages to remote syslog server 192.0.2.1 using target port 514.

FILE /etc/metalog.confRemote syslog server messages sending example.
# Most simple Metalog configuration file:
maxsize  = 1048576  # size in bytes (1048576 = 1 megabyte)
maxtime  = 86400    # time in seconds (86400 = 1 day)
maxfiles = 5        # num files per directory

# Configure sending syslog messages to a remote syslog server
remote_host = 192.0.2.1
remote_port = 514

# Catchall syslog messages 
Everything important :

    facility = "*"
    minimum  = 7
    logdir   = "/var/log/everything"

Usage

All syslog messages are stored in the /var/log/everything/current file.

Filtering

Note
Read the RFC5424 Section 6.2.1. about Facility and Severity

Incoming syslog messages can be filtered using following criteria:

  • facilities f.e.: (local0, kernel)
  • urgency levels, this is called severity in the syslog RFC's f.e: (0-7)
  • program names f.e.: (^httpd)
  • regular expressions f.e.: (simple regex example needed)

An incoming message will pass through all filters. If all conditions match, actions defined for the section are performed.

To write matched syslog messages to its logfile only, without additionally writing in the catch-all syslog file use following at the end of the filter definition:

 break = 1

Simple filter example configuration using the syslog facility to sort incoming messages to dedicated directories:

  • auth facility to /var/log/auth directory only
  • kern facility to /var/log/kern directory only
  • mail facility to /var/log/mail directory only
  • everything else not matched to /var/log/everything directory

The resulting metalog configuration file:

FILE /etc/metalog.confSimple filtering example using facilities
# Most simple Metalog configuration file:
maxsize  = 1048576  # size in bytes (1048576 = 1 megabyte)
maxtime  = 86400    # time in seconds (86400 = 1 day)
maxfiles = 5        # num files per directory

# matched on the authentication facility to the auth directory
Authentication:
 
    facility = "auth"
    logdir   = "/var/log/auth"
    break    = 1

# matched on the kernel facility to the kern directory
Kernel:
    facility = "kern"
    logdir   = "/var/log/kern"
    break    = 1

# matched on the mail facility to the mail directory
Mail:
    facility = "mail"
    logdir   = "/var/log/mail"
    break    = 1

#  matched on all facilities, with all severities save to the everything directoy
Everything important :

    facility = "*"
    minimum  = 7
    logdir   = "/var/log/everything"

Invocation

user $metalog --help
metalog version 4

Options:
   -a, --async
   -B, --daemonize
   -c, --consolelevel <opt>
   -C, --configfile <opt>
   -g, --group <opt>
   -h, --help
   -N, --no-kernel
   -p, --pidfile <opt>
   -s, --synchronous
   -s, --sync
   -v, --verbose
   -V, --version

Troubleshooting

Check if a metalog daemon is running :

user $ps ax | grep metalog
 7753 ?        Ss     0:00 metalog [MASTER]
 7754 ?        S      0:00 metalog [KERNEL]

Verify using the command logger on the client to send a test syslog message:

user $logger -t test my syslog-test-message

Following message will appear in the /var/log/everything/current file, on the syslog server when metalog is configured properly:

root #tail /var/log/everything/current
...
Jun 17 20:22:46 [test] my syslog-test-message

Removal

Unmerge

root #emerge --ask --depclean --verbose app-admin/metalog

See also

  • Logging — the process by which systems record notable events to provide users and administrators with a view of what is happening while a machine is running.
  • Metalog (Security Handbook) - The system logging with Metalog is covered in the Security Handbook.
  • Rsyslog — open source system for high performance log processing.
  • Sysklogd — utility that reads and logs messages to the system console, logs files, other machines and/or users as specified by its configuration file.
  • Syslog-ng — a powerful, highly configurable monitoring and logging daemon.

External resources

References