MonitorWare Knowledge Base

Hello,

I just configured my rsyslog server (version 3.18.2) as a central syslog server. I also managed to write logs from remote clients into seperate logfiles.

Unfortunately still all logs from remote hosts are written to the default logfiles like /var/log/syslog,messages,auth.log,kern.log etc. as well.

How can I configure my syslog server to use the default logfiles only for local logmessages, and write logs from remote hosts only to the seperate remote logfiles?

Please see my current rsyslog.conf attached below. I run debian/etch with a backported version of rsyslog 3.18.2. Remote connections use stunnel for encryption.

Thanks in advance.

# cat /etc/rsyslog.conf
#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 61514

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use default timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640

$template DYNauth,"/var/log/remote/%HOSTNAME%/auth.log"
$template DYNcron,"/var/log/remote/%HOSTNAME%/cron.log"
$template DYNdaemon,"/var/log/remote/%HOSTNAME%/daemon.log"
$template DYNdebug,"/var/log/remote/%HOSTNAME%/debug"
$template DYNkern,"/var/log/remote/%HOSTNAME%/kern.log"
$template DYNlpr,"/var/log/remote/%HOSTNAME%/lpr.log"
$template DYNmailerr,"/var/log/remote/%HOSTNAME%/mail.err"
$template DYNmaillog,"/var/log/remote/%HOSTNAME%/mail.log"
$template DYNmailinfo,"/var/log/remote/%HOSTNAME%/mail.info"
$template DYNmailwarn,"/var/log/remote/%HOSTNAME%/mail.warn"
$template DYNmessages,"/var/log/remote/%HOSTNAME%/messages"
$template DYNnewscrit,"/var/log/remote/%HOSTNAME%/news.crit"
$template DYNnewserr,"/var/log/remote/%HOSTNAME%/news.err"
$template DYNnewsnotice,"/var/log/remote/%HOSTNAME%/news.notice"
$template DYNsyslog,"/var/log/remote/%HOSTNAME%/syslog"
$template DYNuser,"/var/log/remote/%HOSTNAME%/user.log"

###############
#### RULES ####
###############

#
# First some standard log files. Log by facility.
#
auth,authpriv.* ?DYNauth
*.*;auth,authpriv.none -?DYNsyslog
#cron.* ?DYNcron
daemon.* -?DYNdaemon
kern.* -?DYNkern
lpr.* -?DYNlpr
mail.* -?DYNmaillog
user.* -?DYNuser

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -?DYNmailinfo
mail.warn -?DYNmailwarn
mail.err ?DYNmailerr

#
# Logging for INN news system.
#
news.crit ?DYNnewscrit
news.err ?DYNnewserr
news.notice ?DYNnewsnotice

#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -?DYNdebug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -?DYNmessages

#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

There's a couple ways you can do this, but I prefer the standard +/- hostname syntax:

Code: Select all

# ----------------------------------------
# Local logs
# ----------------------------------------
+mylocalhostname

<selector lines>

# ----------------------------------------
# Remote logs
# ----------------------------------------
-mylocalhostname

<selector lines>


You do have to explicitly define mylocalhostname, so you'll need to change this for every server receiving remote logs.

-HKS

I just made a code addition. There is now a system propterty "$myhostname" which contains the local hostname as it knows itself. I think this is useful for such situations. But, for conceptual reasons, it does not work with bsd-style host blocks.

It is not yet officially released, but if you would to try it out, here is a preview:

http://download.rsyslog.com/rsyslog/rsy ... st1.tar.gz

Feedback would be appreciated.

Thanks,
Rainer

hkspvt wrote:There's a couple ways you can do this, but I prefer the standard +/- hostname syntax:

Code: Select all

# ----------------------------------------
# Local logs
# ----------------------------------------
+mylocalhostname

<selector lines>

# ----------------------------------------
# Remote logs
# ----------------------------------------
-mylocalhostname

<selector lines>


You do have to explicitly define mylocalhostname, so you'll need to change this for every server receiving remote logs.

Great, that's exactly what I was searching for. Thanks for the hint. I failed to find that in the rsyslog documentation though. Is it documented somewhere? Or is this part of the compatible syslog configuration syntax?

rgerhardt, thanks for adding $mylocalhostname, but unfortunately I'm not able to test the new prerelease, as the server in question is a production server where I don't want to compile anything from source. That's the reason why I still run rsyslog 3.18.2.

greetings,
mejo

mejo wrote:Great, that's exactly what I was searching for. Thanks for the hint. I failed to find that in the rsyslog documentation though. Is it documented somewhere? Or is this part of the compatible syslog configuration syntax?

It is documented in the rsyslog.conf doc (http://www.rsyslog.com/doc-rsyslog_conf.html) - search for "Filter Conditions" and then go to "Blocks" directly below it.

HTH
Rainer