Quote:
Originally Posted by plisken
When I done that, all logs went to that file, all local logs
|
You're doing nothing wrong. As it turns out, Linux's sysklogd doesn't support host-level filtering as do some other syslog daemons and OSes. But it should!
So, your use-case inspired me to review code logic in other projects and adapt something similar for use on Slackware's sysklogd. I was greatly inspired by
BSD's codebase for how to achieve this.
I make this alpha implementation available to the Slackware community via two patches that apply to either
sysklogd-1.4.1 or
sysklogd-1.5.
The syntax is very simple.
+<host/ip> all following rules apply only if host matches
-<host/ip> all following rules apply only if host doesn't match
Note: the "%" host stands for the local machine name and a + or - host directive remains active until the next + or - host directive is found. Not
specifying any +/- host directives in /etc/syslog.conf means syslog operates as it would without the patch.
I welcome testers and bug reporters and I hope others find this useful.
There are a few limitations in this alpha. First, one can only specify one originating host at a time. However, clever rule ordering should minimize this limitation.
Also, there's no name resolution, so the host or ip has to match exactly.
For example, if the messages from the router come in as follows, the match has to be against "192.168.1.1".
Code:
Jul 17 15:03:07 192.168.1.1 -- MARK --
If you've added an entry to /etc/hosts though and the messages appear as below then the match has to be against "router".
Code:
Jul 17 15:03:07 router -- MARK --
--mancha
Below is an example /etc/syslog.conf for the OP's specific requirement (additions to the stock Slackware conf file in blue):
Code:
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some
# of these entries; this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.
# Set the permitted hostname for the following rules to
# the local machine name
+%
# Uncomment this to see kernel messages on the console.
#kern.* /dev/console
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages
# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/syslog
# Debugging information is logged here.
*.=debug -/var/log/debug
# Private authentication message logging:
authpriv.* -/var/log/secure
# Cron related logs:
cron.* -/var/log/cron
# Mail related logs:
mail.* -/var/log/maillog
# Emergency level messages go to all users:
*.emerg *
# This log is for news and uucp errors:
uucp,news.crit -/var/log/spooler
# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit -/var/log/news/news.crit
#news.=err -/var/log/news/news.err
#news.notice -/var/log/news/news.notice
# Log all messages (all facilities and priorities) from
# 192.168.1.1 to /var/log/router.log
+192.168.1.1
*.* -/var/log/router.log