Configuring rsyslog to split the logs by device IP and rotate the logs on daily basis

The following steps apply to a new installation of Ubuntu 16, with the default rsyslog settings

1. Modify the rsyslog configuration file, /etc/rsyslog.conf and uncomment the settings for the UDP listener:

# provides UDP syslog reception

module(load=”imudp”)

input(type=”imudp” port=”514″)

This will instruct rsyslog to listen on UDP/514 for syslog messages. Adjust these according for other ports or if TCP is needed (see the # provides TCP syslog reception) setting.

At the end of the file, after the line:

$IncludeConfig /etc/rsyslog.d/*.conf

Add:

$template DailyPerHost,”/var/log/syslog_devices/%HOSTNAME%/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log”
*.* -?DailyPerHost

rsyslog.conf

These settings will create individual logs for each logging device under the /var/log/syslog_devices folder. The logs will be rotated on daily basis. For example, a device with hostname asa5505.firegen.com logging on Feb 17, 2018 will be recorded under:

/var/log/syslog_devices/asa5505.firegen.com/asa5505.firegen.com-2018-02-17.log

Syslog folder

The host name is obtained by reverse DNS – if reverse DNS is not available, the IP address will be used. To use the IP address replace %HOSTNAME% with %FROMHOST-IP%:

$template DailyPerHost,”/var/log/syslog_devices/%FROMHOST-IP%/%FROMHOST-IP%-%$YEAR%-%$MONTH%-%$DAY%.log”
*.* -?DailyPerHost

From my experience, the reverse DNS from rsyslog is not always reliable and you may end up with folders for both the IP address and the host name. For this reason, I am using the IP address if the host name is not needed.

Using the host name is useful if there is a need to have a naming convention for specific devices. For example, you may want all the Cisco ASA firewall logs to be monitored and ingested by your SIEM, you can configure reverse DNS for your ASA firewalls so they all start with the same prefix, such as cisco_asa: cisco_asa_montreal01, cisco_asa_toronto02, etc. and have the SIEM monitor /var/logs/syslog_devices/cisco_asa_*. If the IP addresses are used it is more difficult to manage the aggregation of the log collection process.