Logging (Wheezy)

While rsyslog obviously has a version, your use for it is going to be installation specific, and this logging documentation is specific to the Debian Wheezy guide. Of course, there are certainly parts you might be interested in for different installs.

Rsyslog
The bottom configuration has not changed much for me over the past half-decade. The main thing is splitting up the mail logs - they get to be immense once you start sending a lot of email.

Don't forget to restart rsyslog after editing this file:

/etc/init.d/rsyslog restart

/etc/rsyslog.conf

 * 1)  /etc/rsyslog.conf    Configuration file for rsyslog.
 * 2) MODULES ####
 * 1) MODULES ####

$ModLoad imuxsock # provides support for local system logging $ModLoad imklog  # provides kernel logging support (previously done by rklogd)
 * 1) $ModLoad immark # provides --MARK-- message capability


 * 1) provides UDP syslog reception
 * 2) $ModLoad imudp
 * 3) $UDPServerRun 514


 * 1) provides TCP syslog reception
 * 2) $ModLoad imtcp
 * 3) $InputTCPServerRun 514


 * 1) GLOBAL DIRECTIVES ####
 * 1) GLOBAL DIRECTIVES ####

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 * 1) Use traditional timestamp format.

$FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0750 $Umask 0007
 * 1) Set the default permissions for all log files. Make them a bit more restrictive.


 * 1) Includes are disabled for now.
 * 2) $IncludeConfig /etc/rsyslog.d/*.conf
 * 3) RULES ####
 * 1) RULES ####

auth,authpriv.*                /var/log/auth.log cron.*                         -/var/log/cron.log daemon.*                       -/var/log/daemon.log kern.*;kern.!=debug            -/var/log/kern.log :msg, contains, "IPTables: "   -/var/log/iptables.log :msg, contains, "Hackers: "    -/var/log/hackers.log :msg, contains, "IP6Tables: "  -/var/log/ip6tables.log :msg, contains, "Hackers6: "   -/var/log/hackers6.log ftp.*                          -/var/log/ftp.log lpr.*                          -/var/log/lpr.log news.*                         -/var/log/news.log uucp.*                         -/var/log/uucp.log syslog.*                       -/var/log/sys.log user.*                         -/var/log/user.log local0.*                       -/var/log/suhosin.log local1.*                       -/var/log/opendkim.log local2.*                       -/var/log/dovecot.log local4.*                       -/var/log/rsyncd.log local6.*                       -/var/log/clamav.log
 * 1) First some standard log files.  Log by facility.
 * 2) Log by service
 * 1) Our IPTables rules uses the Debug level of kernel logging
 * 2) for that purpose.
 * 1) While suhosin doesn't have a php5.4 edition, I've got it
 * 2) here for if it ever gets updated again. It does have some
 * 3) uses.
 * 1) Most of the time, dovecot and dkim are not going to be your mail issues.
 * 2) However, they will happily fill up your mail logs if you let them.
 * 1) Rsyncd
 * 1) Clamav.log defaults to 6

*.err                          /var/log/error.log *.=warn;mail.none;local2.none  -/var/log/warning.log
 * 1) Log by severity

mail.=notice;mail.=debug       -/var/log/mail.notice mail.=info                     -/var/log/mail.info mail.warn                      -/var/log/mail.warn local2.warn                    -/var/log/dovecot.warn *.emerg                        *
 * 1) Split up mail logs appropriately.
 * 1) Emergencies are sent to everybody logged in.

Logrotate

 * /etc/logrotate.conf
 * rotate 26
 * uncomment compress, add delaycompress
 * /etc/logrotate.d/
 * for all entries:
 * rotate 26, weekly, unless already longer/less common
 * adjust special creation permissions (no world readable, etc)
 * add delaycompress if needed
 * MySQL:
 * add /var/log/mysql/mysql-error.log
 * Rsyslog
 * Adjust files appropriately, add suhosin, opendkim, etc.

My general policy is to keep logs for half a year. Since most issues involve the past week and change, delaycompress is almost mandatory.