openSUSE admin

We currently do syslog forwarding to our syslog server. This covers the systemd journal via /var/log/messages. Having logs accessible and archived in a central place is generally useful, but only /var/log/messages often does not help. We should additionally forward /var/log/mail and application specific log files.

Currently the structure on our syslog server (monitor.i.o.o) is:

/var/log/opensuse/hosts/<hostname>.log

I think it makes sense to keep this but to extend it further with:

/var/log/opensuse/hosts/<hostname>.log.d/mail.log
/var/log/opensuse/hosts/<hostname>.log.d/<application tag>.log

From my brief research, this will require two changes:

• collection of additional log files on client rsyslogd's using the imfile module (https://www.rsyslog.com/doc/configuration/modules/imfile.html) and either tagging them or making sure the application name is set correctly
• splitting the remote input on the syslog server's rsyslogd by tags in addition to hostnames using an additional template like template(name="DynFileApp" type="string" string="/var/log/opensuse/hosts/%HOSTNAME%.log.d/%syslogtag%.log") (or %programname% if we have the application names set correctly - https://www.rsyslog.com/doc/configuration/properties.html
• adjusting the existing "DynFile => .log" rule to only act on syslog/messages instead of on everything arriving from a host

Our rsyslog server configuration is in https://code.opensuse.org/heroes/salt/blob/production/f/salt/profile/log/files/etc/rsyslog.d/server.conf.
Our rsyslog client configuration is comprised of a few pieces, there is a template in https://code.opensuse.org/heroes/salt/blob/production/f/salt/profile/log/files/etc/rsyslog.d/remote.conf.jinja which is populated through some pillar in https://code.opensuse.org/heroes/salt/blob/production/f/pillar/common/init.sls#_69. There are also some other client side templates which take care of exclusions and mtail which might need consideration to not break when new rules are added.