Blog-S_Secure_100x385

Chef Cookbook for Rsyslog

Log management is an area of operations that is often sorely lacking. For Linux/Unix systems, log management is much easier with a centralized syslog server. Yet many organizations don’t set one up. Oft-cited reasons are that Unix syslog is unreliable, insecure, or difficult to set up properly. However, some Linux distributions are starting to replace the incumbent, difficult-to-manage, syslog package, sysklogd, with Rsyslog; for example Fedora, Debian and Ubuntu. Rsyslog is designed for security and reliability, which squashes two reasons people don’t set up remote logging. Opscode has created an rsyslog cookbook for Chef which addresses the third reason.

Let’s start with the Opscode cookbooks from github. We have three classes we can use to set up Rsyslog. At the time of writing, this recipe has only been tested on Ubuntu 8.10, but it should work anywhere Rsyslog packages are available, especially if the package manager cleanly replaces sysklogd.

Local Logging

The default rsyslog recipe will replace the existing sysklogd package and syslog daemon with rsyslog. Logging will be to the various /var/log files using the default configuration. On your nodes in the webui, or site-cookbooks, simply include the ‘rsyslog‘ recipe to set this up. As this was tested on Ubuntu 8.10, the configuration uses Ubuntu’s (ie, Debian’s) logfile locations. For Red Hat derivatives, change the template to suit.

This is all fine and dandy, but it doesn’t address the centralized log management issue, so let’s look at a client/server setup.

Rsyslog Server

First, the server needs to be configured using the rsyslog::server recipe. If you add the rsyslog::server recipe via the webui, clients can use in-recipe node search. See below under Rsyslog Client..

By default, rsyslog::server will set up rsyslog on TCP port 514, and create log files in /srv/rsyslog. Each client host’s logs will be stored with a directory-structured timestamp, for example:

  /srv/rsyslog/2009/04/07/ops1vm/messages

This is the /var/log/messages for host ops1vm, the rsyslog server itself. Log rotation is not necessary with this configuration, as log messages are stored by date, handy! And finally, to address large log file issues, the server recipe includes a cron job that will compress logs.

Rsyslog Client

Once the server is up and running, you can configure clients to connect via the rsyslog::client recipe. The client recipe will set the remote server based on the node[:rsyslog][:server] attribute if set, or it will search for nodes that use the recipe rsyslog::server. If you’re using a site-cookbook to include_recipe “rsyslog::server”, you’ll need to set the server attribute in webui, or the rsyslog.rb attributes file, or modify the recipe search in the rsyslog::client recipe.

After adding the rsyslog::client recipe to the clients, we can see from looking on the server, the client ubuntu2vm is now logging:

  /srv/rsyslog/2009/04/07/ubuntu2vm/messages

Rsyslog is very complex software and very extensible. We hope this cookbook makes it easier for you to get started deploying it for a centralized log management solution.

Joshua Timberman

Joshua Timberman is a Code Cleric at CHEF, where he Cures Technical Debt Wounds for 1d8+5 lines of code, casts Protection from Yaks, and otherwise helps continuously improve internal technical process.