Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have my Ubuntu (12.04) workstation set up to recieve syslog messages from other devices. I was trying to get the rsyslog to generate separate log files for the other devices based on hostname, but leave it's own internal logs as is. What's happening at this point is that all the syslog entries are going into the default systlog log file as well as going into the individual host-based log files.
In the rsyslog.conf file, I added the following template:
Quote:
###########################
#### GLOBAL DIRECTIVES ####
###########################
# Template to generate the log file name dynamically
$template FILENAME,"/var/log/homeagent/%HOSTNAME%.syslog.log"
*.* ?FILENAME
It kind of works, but it's generating a new file even for the localhost, and it's still putting everything in the /var/log/syslog file. What am I missing to get it to not log the other hosts in /var/log/syslog?
Does this help at all? It certainly isn't much like your specific scenario, but perhaps the use of the if statements will work.
Storing Messages from a Remote System into a Specific File
This is a log-consolidation scenario. There exists at least two systems, a server and at least one client. The server is meant to gather log data from all the clients. Clients may (or may not) process and store messages locally. If they do, it doesn’t matter here. See recipe Sending Messages to a Remote Syslog Server for how to configure the clients.
Messages from remote hosts in the 192.0.1.x network shall be written to one file and messages from remote hosts in the 192.0.2.x network shallbe written to another file.
Things to think about
TCP recpetion is not a build-in capability. You need to load the imtcp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top.
Note that the server port address specified in $InputTCPServerRun must match the port address that the clients send messages to.
Config Statements
$ModLoad imtcp
$InputTCPServerRun 10514
# do this in FRONT of the local/regular rules
if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log
& ~
# local/regular rules, like
*.* /var/log/syslog.log
How it works
It is important that the rules processing the remote messages come before any rules to process local messages. The if’s above check if a message originates on the network in question and, if so, writes them to the appropriate log. The next line ("& ~") is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that "& ~", messages would also be written to the local files.
Also note that in the filter there is a dot after the last number in the IP address. This is important to get reliable filters. For example, both of the addresses "192.0.1.1″ and "192.0.10.1″ start with "192.0.1″ but only one actually starts with "192.0.1."!
I had seen that post in my searches, along with others, and it did help somewhat, though as you said it is not the same as my situation. While I could set it up to search for specific things as this post says, I would have to change the rsyslog.conf file every time an IP address was added or changed. Utilizing the %hostname% helps with that.
I noticed that the example includes "& ~" after each line. What does that do?
I had seen that post in my searches, along with others, and it did help somewhat, though as you said it is not the same as my situation. While I could set it up to search for specific things as this post says, I would have to change the rsyslog.conf file every time an IP address was added or changed. Utilizing the %hostname% helps with that.
I noticed that the example includes "& ~" after each line. What does that do?
Ok - after a thorough reading, the & ~ is supposed to stop processing the message. I've changed my rsyslog.conf to be as follows:
Quote:
# Template to generate the log file name dynamically
$template FILENAME,"/var/log/homeagent/%HOSTNAME%.log"
if $fromhost-ip startswith '172.16' then ?FILENAME
& ~
#
This seems to work better. I don't get a separate file for the local workstation, however the other devices still appear in the local syslog file as well as in the individual logs. It almost seems like the messages keep processing even though I have the & ~ in there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.