Log management is a fundamental task that system administrators should be able to perform. The first step on the path to mastery is being able to configure the system to log to the desired locations. In this hands-on lab, we will configure rsyslog to filter certain logs to a location so they can be reviewed.
Successfully complete this lab by achieving the following learning objectives:
- Configure rsyslog to Send All `local3` Messages to `/var/log/local3evtx` and All `local5` Messages to `/var/log/local5evtx`
Change the configuration of rsyslog to route the
sudo vim /etc/rsyslog.conf
Edit the line that contains the reference to the files.
local2.*;local3.* . -/var/log/localmessages
local2.* -/var/log/localmessages local3.* . -/var/log/local3evtx
local4.*;local5.* . -/var/log/localmessages
local4.* -/var/log/localmessages local5.* . -/var/log/local5evtx
Save and write the file.
sudo systemctl restart rsyslog
- Use the `logger` Command to Verify the Logs Are Being Routed Correctly
local5evtfiles do not exist:
Then have rsyslog route messages to the respective files:
sudo logger -p local3.info 'this is a test' sudo logger -p local5.info 'this is a test'
Verify the files were both created and contain the test messages:
ls /var/log sudo cat /var/log/local3evtx sudo cat /var/log/local5evtx