Back to your phpLogCon instanceHello, I am coming from a syslog-ug / syslog background so please excuse me in advance.
Our environment; we have a central syslog (now rsyslogd) server that we send all of the logs from multiple Linux servers (mostly Debian based but a few CentOS servers as well).
When the logs arrive at the server from the clients, they all seem to be going to /var/log/messages. What I would like to have happen is that they should be going to the appropriate log file on the remote server. IE the clients CRON logs will be sent to the CRON log on the server.
rsyslogd location
Moderator: rgerhards
3 posts • Page 1 of 1
Professional Services Information
- Custom written rsyslog.conf?
- Maintenance Contract?
- Installation support?
Re: rsyslogd location
by animation101 » Tue Apr 28, 2009 2:25 am
Sorry the above should be syslog-ng not ug I hit send too quickly.
Here is the servers config file:
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)
$template remote-messages,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/messages-%$NOW%"
#$template remote-secure,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/secure-%$NOW%"
#$template remote-maillog,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/maillog-%$NOW%"
#$template remote-cron,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/cron-%$NOW%"
#$template remote-spooler,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/spooler-%$NOW%"
#$template remote-bootlog,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/boot.log-%$NOW%"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.*;*.info;mail.none;news.none;authpriv.none;cron.none ?DynFile.messages
& /var/log/messages
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener at port 514
# UDP Syslog Server:
#$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514
Here is the servers config file:
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)
$template remote-messages,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/messages-%$NOW%"
#$template remote-secure,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/secure-%$NOW%"
#$template remote-maillog,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/maillog-%$NOW%"
#$template remote-cron,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/cron-%$NOW%"
#$template remote-spooler,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/spooler-%$NOW%"
#$template remote-bootlog,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/boot.log-%$NOW%"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.*;*.info;mail.none;news.none;authpriv.none;cron.none ?DynFile.messages
& /var/log/messages
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener at port 514
# UDP Syslog Server:
#$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514
- animation101
- New
- Posts: 2
- Joined: Mon Apr 27, 2009 10:33 pm
Re: rsyslogd location
by rgerhards » Tue Apr 28, 2009 8:10 am
You just need to apply the proper filtering. Let's start with cron, which actually is already in your config, just with a static filename.
you have
# Log cron stuff
cron.* -/var/log/cron
where /var/log/cron is the static filename. I assume you want to have the dynamic filename that you defined a template for instead. So you just need to change that to
# Log cron stuff
cron.* ?remote-cron
The same goes for the other things. Out of my head, mail is "mail.*", for the others you need to know the facility names or find another way to identify them (if they do not have a unique facility).
I also suggest to have a look at the config sample in http://wiki.rsyslog.com - I guess these will be helpful.
HTH
Rainer
you have
# Log cron stuff
cron.* -/var/log/cron
where /var/log/cron is the static filename. I assume you want to have the dynamic filename that you defined a template for instead. So you just need to change that to
# Log cron stuff
cron.* ?remote-cron
The same goes for the other things. Out of my head, mail is "mail.*", for the others you need to know the facility names or find another way to identify them (if they do not have a unique facility).
I also suggest to have a look at the config sample in http://wiki.rsyslog.com - I guess these will be helpful.
HTH
Rainer
-
rgerhards - Site Admin
- Posts: 2647
- Joined: Thu Feb 13, 2003 11:57 am
Google Ads
3 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
