Bug 15728 - Remote logging per UCR
Remote logging per UCR
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: univention-base-files
UCS 3.1
Other Linux
: P5 enhancement (vote)
: UCS 4.1-4-errata
Assigned To: Philipp Hahn
Felix Botner
:
Depends on:
Blocks: 43125
  Show dependency treegraph
 
Reported: 2009-09-24 17:28 CEST by Janis Meybohm
Modified: 2016-12-07 13:47 CET (History)
8 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
UCS template for remote logging /etc/rsyslog.d/remote-syslog.conf (552 bytes, text/plain)
2016-07-15 16:42 CEST, Daniel Orrego
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2009-09-24 17:28:33 CEST
Man sollte remote logging per UCR in der syslog.conf aktivieren können bzw. SYSLOGD="-r" in der /etc/default/syslogd
Comment 1 Janis Meybohm univentionstaff 2009-09-24 17:32:38 CEST
(In reply to comment #0)
> Man sollte remote logging per UCR in der syslog.conf aktivieren können bzw.
> SYSLOGD="-r" in der /etc/default/syslogd

Wobei man sich letztes sparen kann da /etc/init.d/sysklogd ein UCR template ist in dem die defaults file nicht gesourced wird.
Comment 2 Stefan Gohmann univentionstaff 2012-12-19 09:50:32 CET
Die UCC Clients verwenden nun logger. Von daher wäre es praktisch, wenn bei der Installation von ucc-pxe-boot auch direkt das Remote Logging aktiviert werden könnte.

Mittlerweile wird rsyslogd verwendet.
Comment 3 Stefan Gohmann univentionstaff 2012-12-20 08:31:41 CET
So kann es aktiviert werden:

echo -e '$ModLoad imudp\n$UDPServerRun 514\n' >>/etc/rsyslog.d/ucc.conf
ucr set security/packetfilter/udp/514/all=ACCEPT
/etc/init.d/univention-firewall restart
/etc/init.d/rsyslog restart
Comment 4 Stefan Gohmann univentionstaff 2013-02-06 10:08:10 CET
Die Client Seite sollte ebenfalls per UCR gesteuert werden. In UCC wurde das schon gemacht: 
 https://forge.univention.org/websvn/filedetails.php?repname=dev&path=%2Fbranches%2Fucs-3.1%2Fucc%2Funivention-corporate-client%2Fconffiles%2Fetc%2Frsyslog.d%2F100-ucc.conf
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2013-05-08 14:53:14 CEST
(In reply to comment #3)
> So kann es aktiviert werden:
> 
> echo -e '$ModLoad imudp\n$UDPServerRun 514\n' >>/etc/rsyslog.d/ucc.conf
> ucr set security/packetfilter/udp/514/all=ACCEPT
           ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑
Bitte security/packetfilter/package/PAKETNAME/udp/514/all=ACCEPT verwenden.
Die oben genannte Variante ist für kundenspezifische Einstellungen.
Comment 6 Moritz Muehlenhoff univentionstaff 2013-05-31 10:44:05 CEST
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2.

As such, this bug is moved to the new target milestone.
Comment 7 Tim Petersen univentionstaff 2014-02-21 14:52:34 CET
Asked again by a customer
Comment 8 Philipp Hahn univentionstaff 2016-05-10 14:26:12 CEST
We had numerous (kernel) bugs in the past, were the /-filesystem was no longer writable and valuable information was lost because UCS does no remote logging:
Ticket #2016042621000189
Ticket #2016041221000419
Ticket #2016040721000198
Ticket #2016041221000419

See <http://sdb.univention.de/1362>:
> 3. Configure a central syslog server to collect syslog messages from all/other hosts in your domain.
> Setup one server (master) to store the log files:
>   printf '$ModLoad imudp\n$UDPServerRun 514\n' >/etc/rsyslog.d/ucs-logserver.conf
>   ucr set security/packetfilter/package/rsyslog/udp/514/all{=ACCEPT,/en=syslog}
>   /etc/init.d/rsyslog restart
>   /etc/init.d/univention-firewall restart
>
> Configure all other servers to send their syslog data to that server:
>   printf '*.* @%s\n' "$(dig +short +search master)" >/etc/rsyslog.d/ucs-remotelog.conf
>  /etc/init.d/rsyslog restart

That should be configurable via UCR and policy.
Comment 9 Daniel Orrego univentionstaff 2016-07-15 16:42:58 CEST
Created attachment 7808 [details]
UCS template for remote logging /etc/rsyslog.d/remote-syslog.conf

A simple UCS template to enable a UCS system to send logs remotely (as for rsyslog 4.6.4 in UCS 3.X). It includes a failover host and a local buffer file, in case the remote servers are unreachable, as in http://wiki.rsyslog.com/index.php/FailoverSyslogServer

UCR variables:
[syslog/remote/destination]
Description[de]=Zielsystem für die Syslog-Umleitung.  Z.B. 192.168.225.122:5514
Description[en]=Target server for the syslog redirection.  E.g. 192.168.225.122:5514
Type=str
Categories=system-base

[syslog/remote/destination/failover]
Description[de]=Ersatzziele, sollte der erste Server nicht erreichbar sein.  Server sind separiert durch Leerzeichen
Description[en]=Additional servers that are used as fail over in case of unavailability of the first one.  Servers are separated by blanks
Type=str
Categories=system-base

[syslog/remote/channels]
Description[de]=Syslog Channels die an den entfernten Server weitergeleitet werden.  Standard: *.*
Description[en]=Syslog channels that will be redirected to the receiving host.  Default *.*
Type=str
Categories=system-base

---
Notice that syslog/destination and syslog/destination/failover "support" extra options like sending the port or the format template of rsyslog (and override the default in /etc/rsyslog.conf). So one can do ucr set syslog/remote/destination='192.168.24.10:1514;RSYSLOG_FileFormat' to change the remote port to 1514 and the log format to RYSLOG_FileFormat
Comment 10 Nico Stöckigt univentionstaff 2016-09-16 15:45:21 CEST
and again the /-filesystem was no longer writable and valuable information was lost because UCS does no remote logging: Ticket#2016091621002544
Comment 11 Stefan Gohmann univentionstaff 2016-10-04 13:10:59 CEST
See also Bug #41815.
Comment 12 Philipp Hahn univentionstaff 2016-12-02 10:05:39 CET
4.1-4:
r74914 | Bug #15728 base: Enable remote syslog logging
4.2-0:
r74925 | Bug #15728 base: Fix minor issues
r74924 | Bug #15728 base: Enable remote syslog logging

Package: univention-base-files
Version: 5.0.1-3.217.201612011627
Version: 5.0.1-4.218.201612020906
Branch: ucs_4.1-0
Scope: errata4.1-4

r74921 | Bug #15728,Bug #41815,Bug #41816: base YAML
 univention-base-files.yaml

TEST:
@server:
 ucr set syslog/input/udp=514 syslog/input/tcp=10514 syslog/input/relp=2514
 rsyslogd -N 1 -d | grep NOT
 /etc/init.d/univention-firewall restart
 /etc/init.d/rsyslog restart
 tail -f /var/log/user.log

@client
 ucr set syslog/remote=@@10.200.17.28:10514 syslog/remote/fallback='@10.200.17.29:514 /var/log/failed'
 rsyslogd -N 1 -d | grep NOT
 logger Test3
 ssh 10.200.17.28  /etc/init.d/rsyslog stop
 logger Fallback

 univention-install rsyslog-relp
 ucr set syslog/remote=:omrelp:10.200.17.28:2514
 logger RELP
Comment 13 Felix Botner univentionstaff 2016-12-05 14:34:49 CET
OK - univention-base-files.yaml
OK - remote logging 
OK - merged to 4.2-0
Comment 14 Janek Walkenhorst univentionstaff 2016-12-07 13:47:58 CET
<http://errata.software-univention.de/ucs/4.1/353.html>