How do I configure rsyslog server to accept incoming syslog messages from Swarm products?

This article assumes that you are running rsyslog on Redhat/ CentOS.   

Edit the rsyslog.conf file at /etc/rsyslog.conf.

  • Uncomment the following lines to accept inbound UDP connections on port 514:
$ModLoad imudp.so
$UDPServerRun 514 
  • By default, rsyslog does not show you the timestamp or the IP address of incoming syslog messages.  This is essential for troubleshooting.  To remedy this, please change:

this:

#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

to this:

#### GLOBAL DIRECTIVES ####
$template myFormat,"%fromhost-ip% %rawmsg%\n"
$ActionFileDefaultTemplate myFormat
$SystemLogRateLimitInterval 0
  • To create a log file for each Swarm product, you can configure a log file per logging facility.  For example:
local3.*                                    /var/log/caringo/scspproxy.log
local5.*                                    /var/log/caringo/cr.log
local6.*                                    /var/log/caringo/castor.log


  • Also add this to stop rate limiting logging of these messages:

$SystemLogRateLimitInterval 0

  • Verify that you are not blocking port 514 inbound by checking iptables and selinux
  • Always restart the rsyslog process after any change to rsyslog.conf.  Type: service rsyslog restart
  • To create a log file based on any desired string in the log message itself, you can use the :msg parameter.  For example, to create a log file that only includes messages with the word "Trims" in it, you could use:

:msg,contains,"Trims"           /var/log/caringo/trims.log

This would match messages like this:

2012-05-25T16:00:51.625861-05:00 10.1.1.153 [21]     debug    : 00:51,602 HP DEBUG: Trims decidable locally / trims needed: 0/0

2012-05-25T16:00:52.507941-05:00 10.1.1.153 [21]     debug    : 00:52,484 HP DEBUG: Trims decidable locally / trims needed: 0/0

  • To filter out particular messages in a log file based on any desired string in the log message itself, you can use the :msg parameter with a tilde at the end.  For example, to remove messages with the word "Trims" in it, you could use:
:msg, contains, "Trims" ~
  • Make sure to include this directive before any other directive that may already have acted on that message.
  • To filter out the SCSP Proxy ANNOUNCE messages that may be polluting your log file, put these msg lines (in red below) at the top of the configuration after the CaringoFormat directive:
$template CaringoFormat,"%fromhost-ip% %rawmsg%\n"
$ActionFileDefaultTemplate CaringoFormat
:msg, contains, "Are we really paused?" ~
:msg, contains, "has paused its production of data for the requestor" ~
:msg, contains, "ANNOUNCE: None" ~ 

NOTE: Make sure that you include the logging directory and or specific log files in your logrotate configuration.  Otherwise the logs may grow out of control!  You can mirror what is done in the CSN.

Example: make sure that /etc/logrotate.conf includes:

include /etc/logrotate.d

And make sure that every product has its own file in /etc/logrotate.d, like /etc/logrotate.d/caringo-castor:

$cat /etc/logrotate.d/caringo-castor
#
# CAStor logrotate.d file
#
#
/var/log/caringo/castor.log {
weekly
rotate 8
size 512M
compress
missingok
copytruncate
}

You can raise the number 8 above to how many ever files you would like to keep.  You can do this for whatever log files you would like to rotate.