Server Upgrade Part 5: rsyslog

Now that mail is running in a container, logwatch is a lot less interesting because log data is not visible on the host (the container has the logs). One option is to map the log files from the container into the host logs, but this might get messy. It seems like a better idea to build out an rsyslog setup to flow logs from the container into the host.

To start with I needed to understand rsyslog a bit better. Then I came across a post that does pretty much what I’m trying to accomplish, docker containers sending logs to the host with rsyslog.

Before we configure the container, we need to get our host machine accepting rsyslog input. We’ll need to turn on one of TCP or UDP remote access on the host. I’ll stick with just TCP for my initial setup.

Edit /etc/rsyslog.conf, you’ll find a comment near the top about TCP reception, uncomment the pair of lines below it

and then restart the service to pick up the new config

I’m using a firewall on the host so I’ll also have to open up the firewall so that things can see this new port. When we do firewall stuff, we should always pause and think about the security implications here.

In my case, the machine that has the port open will be behind my router, which also runs a firewall. So while we’re punching a hole in the firewall, we actually have another firewall protecting us from the big bad internet.

At this point our host machine has rsyslog running and waiting for traffic. Now let’s take a look at the mail server container and change it to flow logs to the host rsyslog.

It turns out the client is really easy, but you do have to be aware of UDP or TCP.  Inside the container – we modify our Dockerfile to create an /etc/rsyslog.d/10-rsyslog.conf file that looks like:

If you are using TCP, use both @@ – for UDP just a single @. You also need to use the actual hostname of the host machine (the one we configured with rsyslog just above). We need rebuild and restart the container to activate the rsyslog configuration.

Back on the host, we see data showing up with the container hostname in the logs. If we look on the host machine in /var/log/syslog we see rsyslogd startup from the mail container:

 

There are plenty of other log messages related to the mail container start up as well.

We could manually emit some log messages from the client inside the container, by shelling into the container and running logger.

and in /var/log/syslog on the host we see..

Logwatch should be a lot more interesting

Leave a Reply