= Linux/Rsyslog >v8.0 =
 * Links [[Linux/Rsyslog/Json|Json]] , [[https://www.rsyslog.com/doc/v8-stable/configuration/index.html]] , [[http://www.liblognorm.com/files/manual/lognormalizer.html]]
 * [[Linux/Rsyslog/Queues]]
 * 2021 there is two log systems in linux journalctl (part of systemctl) and rsyslog
 * Rsyslog is normally used when log messages have to modified, and sent to other systems, or received from other systems.

== Description of Rsyslog ==
 * Rsyslog is an open-source high-performance logging utility.
   * Multithreaded log processing
   * TCP over SSL and TLS
   * Reliable Event Logging Protocol (RELP)
   * Flexible and configurable output formats
   * Filtering on all aspects of log messages

== Getting latest version ==
 * {{{
$ cd /etc/yum.repos.d/
$ wget http://rpms.adiscon.com/v8-stable/rsyslog.repo # for CentOS 7
$ wget http://rpms.adiscon.com/v8-stable/rsyslog-rhel7.repo # for RHEL 7
$ yum install rsyslog
}}}

== /etc/rsyslogd.conf ==
 * rsyslog fwd messages fail-over between servers [[Linux/Rsyslog/FailOver]]
 * rsyslog fwd rate limiting [[Linux/Rsyslog/RateLimiting]]
 * conf: get local log messages logged to /dev/log {{{
module(load="imuxsock")
# load module named imuxsock for receiving messages via /dev/log.
# This is the default location for local programs using the syslog standard.
# Replace obsolete legacy format $ModLoad imuxsock
}}}
 * conf: listen for incoming udp log messages {{{
module(load="imudp")
input(type="imudp" port="514")
}}}
 * conf: listen for tcp log, legacy and advanced {{{
# $ModLoad imtcp
# $InputTCPMaxSession 500
# This is converted to:
module(load="imtcp" maxSessions="500")
}}}
 * conf: include individual rsyslog config files {{{
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
}}}
 * conf: selector and action [basic format] {{{
*.=debug  /var/log/debug
# the selector is *.=debug. facility.priority. 
#     The facility indicates where the message is sent from.
#     The priority indicates how important the message is.
#     Here, any debug messages will be sent to /var/log/debug

# Format [1]basic [2]basic+advanced [3]advanced
# [1]
mail.info   /var/log/maillog
# [2]
mail.info action(type="omfile" file="/var/log/maillog")
# [3]
if prifilt("mail.info") then {
     action(type="omfile" file="/var/log/maillog")
}

}}}
   * conf-test: *.=debug with {{{
$ logger -p daemon.debug "This is a test."
}}}
 * conf: Conditional Selectors, only udp input [advanced format] {{{
If $inputname == "imudp" then {
Action (type="omfile" File="/var/log/udp.log")
}
}}}
   * conf-test: {{{
$ logger -p daemon.debug -n 127.0.0.1 -P 514 -d "Sending this over UDP!"
}}}
 * conf: convert config to advanced format e.g.
   * message processing stop at "& ~" equal to "& stop".
   * old/legacy format to file and host {{{
:msg, contains, "error" /var/log/errorlog
& @@remote
& ~
}}}
   * advanced format {{{
:msg, contains, "error" {
        action(type="omfile" file="/var/log/errorlog")
        action(type="omfwd" target="remote.com" protocol="udp")
        stop
}
}}}

== Rsyslog log buffering ==
 * Location set by variable: $WorkDirectory /var/lib/rsyslog


== Notes setting up Rsyslog with Datadog ==

 * Send logs to TLS endpoint:  intake.logs.datadoghq.com:10516

==== Check for TLS connectivity and send test log message ====
 echo "<DD-API> this is a test message for datadog $(date -Is)" | openssl s_client -showcerts -connect intake.logs.datadoghq.com:10516