MonitorWare Knowledge Base

We are evaluating rsyslog and syslog-ng for a multiplatform deployment. Each of the platforms will have the same rsyslog.conf file. Platforms are running CentOS linux. We are evaluating Rsyslog-3.18.2

The platforms will receive syslog from serveral Cisco Servers. We want to use unique locations for messages from each server and to that end have used one of the Wiki configs that uses the scripting language of rsyslog to do this.

The problem we are running into is that we would like the locally generated syslog to go to the traditional linux locations (/var/log/messages etc) and the script example attempts to do that, but it relies on the idea that the syslog "source" tag will be "localhost". In our case, the "source" contains the System hostname which is different for each box.

We would like to eliminate as many specially customized files to build one of these platforms. So the question is this.

Is there away to capture the hostname of the platform within the rsyslog.conf file and then use that in the compare against "source" to determine if the syslog message is local or not?

Ie something like

#Get hostname from shell command
my_hostname='hostname'

if \
$source == $my_hostname \
and ( \
$syslogseverity-text == 'info' \
or \
$syslogseverity-text == 'notice' \
) \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then /var/log/messages

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

No, though I think some sort of $localhost variable would be really handy.

You can usually approximate this functionality by checking whether the fromhost-ip property equals 127.0.0.1.

Code: Select all

if \
$source == $my_hostname \
and ( \
$syslogseverity-text == 'info' \
or \
$syslogseverity-text == 'notice' \
) \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then /var/log/messages
We are evaluating rsyslog and syslog-ng for a multiplatform deployment. Each of the platforms will have the same rsyslog.conf file. Platforms are running CentOS linux. We are evaluating Rsyslog-3.18.2

The platforms will receive syslog from serveral Cisco Servers. We want to use unique locations for messages from each server and to that end have used one of the Wiki configs that uses the scripting language of rsyslog to do this.

The problem we are running into is that we would like the locally generated syslog to go to the traditional linux locations (/var/log/messages etc) and the script example attempts to do that, but it relies on the idea that the syslog "source" tag will be "localhost". In our case, the "source" contains the System hostname which is different for each box.

We would like to eliminate as many specially customized files to build one of these platforms. So the question is this.

Is there away to capture the hostname of the platform within the rsyslog.conf file and then use that in the compare against "source" to determine if the syslog message is local or not?

Ie something like

#Get hostname from shell command
my_hostname='hostname'

if \
$fromhost_ip == "127.0.0.1" \
and ( \
$syslogseverity-text == 'info' \
or \
$syslogseverity-text == 'notice' \
) \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then /var/log/messages



-HKS

I will givethe fromhost-ip a try but that property is not documented as one of the available ones in the property replacer part of the documentation (3.18.2) There is a fromhost property. No fromhost-ip that I see. Thanks

Which documentation are you checking? It's right below fromhost in http://www.rsyslog.com/doc-property_replacer.html

-HKS

Has this sufficiently well being solved in the meantime? rsyslog obviously has the information of where the messages originated from. I could simply expose that via a property, that would not be a big change. For example, I could include the name of the input that generated the messsage (imklog and imuxsock should always spell as "local system").

Thanks,
Rainer

That could be a very useful property.

-HKS

OK, I'll add such a property with the next iteration and then we'll see how it works out

Rainer

This is now done, property name is "inputname". It is available as part of a preview:

http://download.rsyslog.com/rsyslog/rsy ... st1.tar.gz

Official will be part of 3.21.5.

Feedback is appreciated.

Thanks,
Rainer