Logging woes

Strator

Verified User
Joined
Jan 19, 2011
Messages
250
Has anyone been able to find a satisfying way to setup logging for CentOS 7 & Directadmin?

http://www.tejasbarot.com/2014/07/22/rhel-7-centos-7-how-to-get-started-with-systemd/#axzz3J5htWFTm

If I understand this correctly, then it means that centralized logging with easy-to-access physical log files is history? Ouch.

Bigger problem than my personal taste: It seems like nobody told the other programs that are supposed to run on the same system. CSF is crying for log data, and I just not know how to feed it ("Neither syslog nor rsyslog appear to be running"). /var/log is scarily empty, while in /var/log/directadmin there's a file with the fancy name of da-popb4smtp.log that is filling rapidly (2000 lines per hour) with identical "Cannot stat: /var/log/maillog : No such file or directory" entries. There's definitely more, but I don't dare to look.

Has anyone sorted out this mess yet, or can at least give me pointers were to start (e.g. what to fix and how, and what to ignore)? Thanks!

PS: Stumbled across this because I'm trying to get spamd to run and one of the instruction pages here advises to look into maillog - which, however, doesn't exist.
 
The following should fix your problem:
Code:
yum -y install rsyslog
systemctl enable rsyslog
systemctl start rsyslog

Journald has no persistent storage enabled by default. It's possible to change that in journald.conf, but it wouldn't make CSF or DA compatible with the logging format and new path. As data collected by journald is forwarded to rsyslog by default, it is the best way for having logs stored in text-files, especially when external programs rely on them.
 
I am afraid this isn't working. According to...

journalctl -u sshd |tail -100

...my server is subject to an onslaught of 50 tries per minute (=I guess that makes it around 70,000 per day?). Yet /var/log/secure is seeing nothing of it (and CSF isn't bothering either). And I don't know why, actually.

From rsyslog.conf:
authpriv.* /var/log/secure

From sshd_conf:
SyslogFacility AUTHPRIV

# /usr/sbin/rsyslogd
Already running. If you want to run multiple instances, you need to specify different pid files (use -i option)
 
I manged to fix (?) this by changing the following setting in rsyslog.conf to "off":

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging off

The disturbing part is that, to my knowledge, turning this off makes no sense.

The good part is that CSF has finally picked up on the logs and is now blocking attackers.
 
Don't you see any entries in /var/log/secure?
Code:
grep sshd /var/log/secure
 
See post above - with OmitLocalLogging disabled, rsyslog is logging now.
 
Back
Top