tickets #166475
Updated by crameleon 8 months ago
We currently do syslog forwarding to our syslog server. This covers the systemd journal via /var/log/messages. Having logs accessible and archived in a central place is generally useful, but only /var/log/messages often does not help. We should additionally forward /var/log/mail and application specific log files. Currently the structure on our syslog server (monitor.i.o.o) is: `/var/log/opensuse/hosts/<hostname>.log` /var/log/opensuse/hosts/<hostname>.log I think it makes sense to keep this but to extend it further with: `/var/log/opensuse/hosts/<hostname>.log.d/mail.log` /var/log/opensuse/hosts/<hostname>.log.d/mail.log `/var/log/opensuse/hosts/<hostname>.log.d/<application tag>.log` /var/log/opensuse/hosts/<hostname>.log.d/<application tag>.log From my brief research, this will require two changes: - collection of additional log files on client rsyslogd's using the imfile module (https://www.rsyslog.com/doc/configuration/modules/imfile.html) and either tagging them or making sure the application name is set correctly - splitting the remote input on the syslog server's rsyslogd by tags in addition to hostnames using an additional template like `template(name="DynFileApp" type="string" string="/var/log/opensuse/hosts/%HOSTNAME%.log.d/%syslogtag%.log")` (or `%programname%` if we have the application names set correctly - https://www.rsyslog.com/doc/configuration/properties.html - adjusting the existing "DynFile => <host>.log" rule to only act on syslog/messages instead of on everything arriving from a host Our rsyslog server configuration is in https://code.opensuse.org/heroes/salt/blob/production/f/salt/profile/log/files/etc/rsyslog.d/server.conf. Our rsyslog client configuration is comprised of a few pieces, there is a template in https://code.opensuse.org/heroes/salt/blob/production/f/salt/profile/log/files/etc/rsyslog.d/remote.conf.jinja which is populated through some pillar in https://code.opensuse.org/heroes/salt/blob/production/f/pillar/common/init.sls#_69. There are also some other client side templates which take care of exclusions and mtail which might need consideration to not break when new rules are added.