up

Author: blotus

crowdsec-docs/unversioned/user_guides/log_centralization.md

@@ -65,6 +65,23 @@ Finally, restart rsyslog to use the new configuration:
 systemctl restart rsyslog
 ```
 
+We will also setup logrotate to avoid filling our disk with the logs. Create a file `/etc/logrotate.d/remote-logs` with the following content:
+```
+/var/log/remote-logs/*/*.log {
+    daily
+    rotate 7
+    compress
+    missingok
+    notifempty
+    create 0640 syslog adm
+    sharedscripts
+    postrotate
+        /bin/systemctl reload rsyslog.service > /dev/null 2>&1 || true
+    endscript
+}
+```
+
+This will keep 7 days of compressed logs. 
 
 ## Rsyslog Client Setup
 
@@ -76,6 +93,8 @@ access_log syslog:server=<central-server-ip>;
 error_log syslog:server=<central-server-ip>;
 ```
 
+As nginx supports multiple `access_log` and `error_log` directives, you can keep the existing directives to still have a local copy of the logs. 
+
 ### Auth logs
 
 Create a file `/etc/rsyslog.d/99-auth-forward.conf` with the following content:
@@ -124,8 +143,6 @@ labels:
  type: syslog
 ```
 
-
-
 Note that we are setting the type label to `syslog`. This will instruct crowdsec to use the `syslog` parser to extract the actual type from the log itself.
 
 Then, we need to install the nginx collection for crowdsec to be able to detect attacks: