Router
Syslog Settings
Configure the router to send log messages to a remote server.
syslog debug off
syslog info off
syslog notice on
nat descriptor log on
syslog host [XXX.XXX.XXX.XXX]
syslog facility local4
The syslog facility is set to local4. We can configure these logs to be written to a custom log file.
Stop logging DNS lookups
ip filter dynamic [num] * * domain
Change the above line to
ip filter dynamic [num] * * domain syslog=off
Linux Server
I am running Debian / Buster with rsyslog.
Backup the old config file
cp /etc/rsyslog.conf /etc/rsyslog.cong.orig
Edit the config file
Uncomment the following lines
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
So they become
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Add local4 to config file
# RTX1200 Log
local4.* /var/log/rtx1200.log
Restart rsyslog
systemctl enable rsyslog
systemctl restart rsyslog
Firewall
If you have a firewall between the router and the logging server. You will need to allow tcp and udp for on port 514
Rotating your new logs
Create a new file called /etc/lograte.d/rtx1200
Contents
/var/log/rtx1200.log {
daily
rotate 30
compress
ifempty
dateext
create
postrotate
# Old format
# kill -HUP `cat /var/run/syslogd.pid
# New Debian / Buster
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
Checking and Testing
Check the output of the following two commands
logrotate -d /etc/logrotate.d/rtx1200
logrotate -f /etc/logrotate.d/rtx1200