Now that mail is running in a container, logwatch is a lot less interesting because log data is not visible on the host (the container has the logs). One option is to\u00a0map the log files from the container into the host logs, but this might get messy. It seems like a better idea to build out an rsyslog setup to flow logs from the container into the host.<\/p>\n
To start with I needed to understand rsyslog<\/a> a bit better<\/a>. Then I came across a post<\/a> that does pretty much what I’m trying to accomplish, docker containers sending logs to the host with rsyslog.<\/p>\n Before we configure the container, we need to get our host machine accepting rsyslog input. We’ll\u00a0need to turn on one of TCP or UDP remote access on the host. I’ll stick with just TCP for my initial setup.<\/p>\n Edit \/etc\/rsyslog.conf, you’ll find a comment near the top about TCP reception, uncomment the pair of lines below it<\/p>\n and then restart the service to pick up the new config<\/p>\n I’m using a firewall on the host so I’ll also\u00a0have to open up the firewall so that things can see this new port. When we do firewall stuff, we should always pause and think about the security implications here.<\/p>\n In my case, the machine that has the port open will be behind my router, which also runs a firewall. So while we’re punching a hole in the firewall, we actually have another firewall protecting us from the big bad internet.<\/p>\n At this point our host machine has\u00a0rsyslog running and waiting for traffic. Now let’s take a look at the mail server container and change it to flow logs to the host rsyslog.<\/p>\n It turns out\u00a0the client is really easy, but you do have to be aware of UDP or TCP. \u00a0Inside the container – we modify our Dockerfile to create an \/etc\/rsyslog.d\/10-rsyslog.conf file that looks like:<\/p>\n If you are using TCP, use both @@ – for UDP just a single @. You also need to use the actual hostname of the host machine (the one we configured with rsyslog just above). We need\u00a0rebuild and\u00a0restart the container to activate the rsyslog configuration.<\/p>\n Back on the host, we see data showing up with the container hostname in the logs. If we look on the host machine in \/var\/log\/syslog we see rsyslogd startup from the mail container:<\/p>\n <\/p>\n There are plenty of other log messages related to the mail container start up as well.<\/p>\n We could\u00a0manually emit some log messages from the client inside the container, by shelling into the container and\u00a0running logger.<\/p>\n and in \/var\/log\/syslog on the host we see..<\/p>\n Logwatch should be a lot more interesting<\/p>\n","protected":false},"excerpt":{"rendered":" Now that mail is running in a container, logwatch is a lot less interesting because log data is not visible on the host (the container has the logs). One option is to\u00a0map the log files from the container into the host logs, but this might get messy. It seems like a better idea to build … Continue reading “Server Upgrade Part 5: rsyslog”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-1576","post","type-post","status-publish","format-standard","hentry","category-computing"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=1576"}],"version-history":[{"count":2,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1576\/revisions"}],"predecessor-version":[{"id":1578,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1576\/revisions\/1578"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=1576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=1576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=1576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}# provides TCP syslog reception\r\nmodule(load=\"imtcp\")\r\ninput(type=\"imtcp\" port=\"514\")<\/pre>\n
$ sudo service rsyslog restart<\/pre>\n
$ sudo ufw allow 514<\/pre>\n
# Send all logs to the host\r\n*.* @@myhost:514\r\n<\/pre>\n
Mar 12 02:17:36 mail rsyslogd: rsyslogd's groupid changed to 104\r\nMar 12 02:17:36 mail rsyslogd: rsyslogd's userid changed to 101\r\n<\/pre>\n
$ docker exec -it emailcontainer bash\r\nroot@mail:\/# logger testing over tcp<\/pre>\n
Mar 12 02:30:20 mail logger: testing over tcp<\/pre>\n