Log management is a fundamental task that system administrators should be able to perform. The first step on the path to mastery is being able to configure the system to log to the desired locations. In this hands-on lab, we will configure rsyslog to filter certain logs to a location so they can be reviewed.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Configure rsyslog to Send All `local3` Messages to `/var/log/local3evtx` and All `local5` Messages to `/var/log/local5evtx`
Change the configuration of rsyslog to route the
local3andlocal5logs:sudo vim /etc/rsyslog.confEdit the line that contains the reference to the files.
Change:
local2.*;local3.* . -/var/log/localmessagesTo:
local2.* -/var/log/localmessages local3.* . -/var/log/local3evtxAnd change:
local4.*;local5.* . -/var/log/localmessagesTo:
local4.* -/var/log/localmessages local5.* . -/var/log/local5evtxSave and write the file.
Restart rsyslog:
sudo systemctl restart rsyslog
- Use the `logger` Command to Verify the Logs Are Being Routed Correctly
Confirm the
local3evtandlocal5evtfiles do not exist:ls /var/logThen have rsyslog route messages to the respective files:
sudo logger -p local3.info 'this is a test' sudo logger -p local5.info 'this is a test'Verify the files were both created and contain the test messages:
ls /var/log sudo cat /var/log/local3evtx sudo cat /var/log/local5evtx
