LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 02-01-2013, 04:58 AM   #1
sandeep_hello
Member
 
Registered: Feb 2008
Posts: 62

Rep: Reputation: 1
Syslog configuration in Redhat linux


I have configured syslog server in Redhat linux but now i want to create a separate file for each client who are sending logs to syslog server.

Please suggest if it is possible.
 
Old 02-01-2013, 07:41 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Rsyslogd (see the documentation or the rsyslogd web site wrt templates) and syslog-ng are capable of doing that but the "traditional" syslog daemon isn't.
So until you clarify which one you use the answer is "it depends" ;-p
 
Old 02-09-2013, 01:46 PM   #3
sandeep_hello
Member
 
Registered: Feb 2008
Posts: 62

Original Poster
Rep: Reputation: 1
Thanks Mate.

I am trying to configure centralized logging for VMware ESX servers on RHEL5 but facing issue in log filtering. Logs are coming to single file only.

Suppose log pattern of VMWare logs are: -

2013-02-06T17:05:35.360Z station1 vmkwarning: cpu8:2196)WARNING: NMP: vmk_NmpSatpIssueTUR:1018evice naa.60060e80164cd50000014cd50000a210 path vmhba1:C0:T0:L16 has been unmapped from the array
2013-02-06T17:05:35.360Z station1 vmkernel: cpu8:2196)WARNING: NMP: vmk_NmpSatpIssueTUR:1018evice naa.60060e80164cd50000014cd50000a210 path vmhba1:C0:T0:L16 has been unmapped from the array
2013-02-06T17:05:35.360Z station1 vmkwarning: cpu2:4914516)WARNING: NMP: vmk_NmpSatpIssueTUR:1018evice naa.60060e80164cd50000014cd50000a211 path vmhba1:C0:T0:L17 has been unmapped from the array
2013-02-06T17:05:35.360Z station1 vmkernel: cpu2:4914516)WARNING: NMP: vmk_NmpSatpIssueTUR:1018evice naa.60060e80164cd50000014cd50000a211 path vmhba1:C0:T0:L17 has been unmapped from the array
2013-02-06T17:01:07.862Z station2 Vpxa: [FFF05B90 verbose 'Default'] Set internal stats for VM: 4 (vpxa VM id), 36757 (vpxd VM id). Is FT primary? 0
2013-02-06T17:01:07.863Z station2 Vpxa: [FFF05B90 verbose 'Default'] Set internal stats for VM: 6 (vpxa VM id), 57881 (vpxd VM id). Is FT primary? 0
2013-02-07T01:42:30.200Z station2 Hostd: [63962B90 verbose 'SoapAdapter'] Responded to service state request
2013-02-07T01:42:42.627Z station2 Hostd: [63E5FB90 verbose 'DvsManager'] PersistAllDvsInfo called
2013-02-07T01:42:42.935Z station3 Hostd: [63921B90 verbose 'DvsTracker'] FetchSwitches: added 2 items

Here i want to create different file for each filter i.e.

Hostd:
vmkwarning:
vmkernel:
Vpxa:


MY syslog configuration for remote loging is


Quote:
#============================================================================================
$ModLoad imudp.so
$UDPServerRun 514

#Client logging
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

$template DYNHostd,"/var/log/remotelog/%HOSTNAME%/hostd.log"
$template DYNvmkernel,"/var/log/remotelog/%HOSTNAME%/vmkernel.log"
$template DYNvmkwarning,"/var/log/remotelog/%HOSTNAME%/vmkwarning.log"
$template DYNVpxa,"/var/log/remotelog/%HOSTNAME%/vpxa.log"
$template DYNcommonlog,"/var/log/remotelog/%HOSTNAME%/common.log"
if $source != '127.0.0.1' and $msg contains 'Hostd:' then ?DYNHostd
if $source != '127.0.0.1' and $msg contains 'vmkernel:' then ?DYNvmkernel
if $source != '127.0.0.1' and $msg contains 'vmkwarning:' then ?DYNvmkwarning
if $source != '127.0.0.1' and $msg contains 'Vpxa:' then ?DYNvpxa
if $source != '127.0.0.1' then ?DYNcommonlog

#============================================================================================
So please suggest.

Last edited by sandeep_hello; 02-09-2013 at 01:47 PM.
 
Old 02-09-2013, 04:46 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Quote:
Originally Posted by sandeep_hello View Post
Logs are coming to single file only.
So what modifications did you test to fix this? And please don't post a partial rsyslog.conf.
 
Old 02-11-2013, 04:19 AM   #5
sandeep_hello
Member
 
Registered: Feb 2008
Posts: 62

Original Poster
Rep: Reputation: 1
Actually i have not done anything to fix the issue. Just i am seeking information if someone can help me to solve my issue by suggesting parameter in my current configuration.

Currently logging is happening successfully but i want to differentiate the logs on the basis of client logs content.

Please suggest if it is possible in my rsyslog configuration
 
Old 02-11-2013, 09:30 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Prohibit messages from hitting the next filter with "& ~". Please confirm if that works. If it doesn't then 0) check your system logs for clues, 1) run a check (see 'man rsyslog.conf' for "-d" and "-N") and 2) post debug output and your complete /etc/rsyslog.conf and /etc/rsyslog.d/ contents.
 
Old 02-12-2013, 03:43 AM   #7
sandeep_hello
Member
 
Registered: Feb 2008
Posts: 62

Original Poster
Rep: Reputation: 1
Please find the rsyslog.conf

Quote:
$ModLoad imudp.so
$ModLoad imuxsock.so
$ModLoad imklog.so
$UDPSeverAddress *
$UDPServerRun 514

#============================================================================================
#Client logging
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

$template DYNhostd,"/var/log/remotelog/%HOSTNAME%/hostd.log"
$template DYNvmkernel,"/var/log/remotelog/%HOSTNAME%/vmkernel.log"
$template DYNvmkwarning,"/var/log/remotelog/%HOSTNAME%/vmkwarning.log"
$template DYNvpxa,"/var/log/remotelog/%HOSTNAME%/vpxa.log"
$template DYNcommonlog,"/var/log/remotelog/%HOSTNAME%/common.log"
if $source != '127.0.0.1' and $msg contains 'hostd' then ?DYNHostd
& ~
if $source != '127.0.0.1' and $msg contains 'vmkernel' then ?DYNvmkernel
& ~
if $source != '127.0.0.1' and $msg contains 'vmkwarning' then ?DYNvmkwarning
& ~
if $source != '127.0.0.1' and $msg contains 'vpxa' then ?DYNvpxa
& ~
if $source != '127.0.0.1' then ?DYNcommonlog
& ~


#============================================================================================

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log
/etc/sysconfig/rsyslog

Quote:
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
#SYSLOGD_OPTIONS="-m 0"
SYSLOGD_OPTIONS=" -r -m 2"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

and debug output


Quote:
rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c3 as the first rsyslogd option.
rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 4
rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 14
rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 15
rsyslogd: Could not find template 'DYNHostd' - action disabled
[try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 22
rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ]
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock

Last edited by sandeep_hello; 02-12-2013 at 03:58 AM.
 
Old 02-12-2013, 06:38 AM   #8
sandeep_hello
Member
 
Registered: Feb 2008
Posts: 62

Original Poster
Rep: Reputation: 1
Thanks for giving me hint and finally got the solution.

Just little change i need to perform on rsyslog.conf.


My configuration file is

Quote:
$ModLoad imudp.so
$ModLoad imuxsock.so
$ModLoad imklog.so
$UDPSeverAddress *
$UDPServerRun 514

#============================================================================================
#Client logging
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

$template DYNHostd,"/var/log/remotelog/%HOSTNAME%/hostd.log"
if $programname contains 'Hostd' then ?DYNHostd
& ~
$template DYNvmkernel,"/var/log/remotelog/%HOSTNAME%/vmkernel.log"
if $programname contains 'vmkernel' then ?DYNvmkernel
& ~
$template DYNvmkwarning,"/var/log/remotelog/%HOSTNAME%/vmkwarning.log"
if $programname contains 'vmkwarning' then ?DYNvmkwarning
& ~
$template DYNvpxa,"/var/log/remotelog/%HOSTNAME%/vpxa.log"
if $programname contains 'Vpxa' then ?DYNvpxa
& ~
$template DYNcommonlog,"/var/log/remotelog/%HOSTNAME%/common.log"
if $source != '127.0.0.1' then ?DYNcommonlog
& ~



#============================================================================================

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Syslog configuration felix001 Linux - Server 1 09-08-2010 04:53 PM
syslog configuration bongobonga Linux - Software 1 06-19-2009 12:17 PM
syslog-ng configuration linux_@dmin Linux - Server 5 01-02-2009 12:17 AM
syslog configuration nrodri72 Linux - Security 1 05-21-2008 06:24 AM
Syslog configuration RajaRC Linux - Networking 0 01-14-2004 02:36 AM


All times are GMT -5. The time now is 12:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration