[SOLVED] rsyslog central logging issues

Vernicronz · 03-19-2018, 01:58 AM

Hi All,

Recently i am trying to build a centralized rsyslog server - and tried with 2 node setup . 1 as master and 1 as slave - which sends the rsyslog to the central master. everything looks good until i tried to make a template and attempt the rsyslog in master to write the client's rsyslog to a custom location and file. things break and i don't get the logs generated in the central server.
below are my configs

#rsyslog.conf from the central/master server (local ip - 172.31.8.255) - configured to listen in tcp

Code:

root@rxmaster:/etc/rsyslog.d# grep -v "#" /etc/rsyslog.conf 
$PreserveFQDN on
module(load="imuxsock") 
module(load="imklog") 
module(load="imtcp")
input(type="imtcp" port="514")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf

#rsyslog.conf from the slave server -

Code:

root@rxslave:~# grep -v "#" /etc/rsyslog.conf 
$LocalHostName rxslave
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
*.* @@172.31.8.255:514

When i tried to attempt to run with this custom conf in /etc/rsyslog.d at the master ..nothing writes to that dir/file. but without this the slave writes to the local syslog of the master with the slave's hostname and the rest of the details/syslog stuffs

Code:

root@rxmaster:/etc/rsyslog.d# cat rxslave.conf
if $fromhost == '172.31.9.228' then /logs/rx/rxslave/rxslavesyslog.log
& stop

appreciate your kind advice on how to solve this

thank you

tshikose · 03-19-2018, 05:11 AM

Hi,

Many things can break it.
You need to provide us with more information.

Which OS are you using: flavor and version?
What version of rsyslog are you using?

Vernicronz · 03-19-2018, 05:18 AM

hi tshikose ,

OS is Ubuntu 16.04.4 LTS, rsyslog 8.16.0.

tshikose · 03-19-2018, 05:44 AM

Hi,

I realize that rsyslog Ubuntu has a slightly different syntax compared to CentOS 7, that works with the below.

Code:

cat /etc/rsyslog.d/logging-files.conf
# From desktop7.example.net
:FROMHOST, isequal, "server7.example.net" -/var/log/logging-remote/server7.log
& ~
# From *.example.net and sent in dynamic individual log files
$template LoggingFiles,"/var/log/remote/%FROMHOST%/messages"
:FROMHOST, contains, ".example.net" -?LoggingFiles
& ~

Vernicronz · 03-20-2018, 01:51 AM

Hi Thshimanga,

I have tried the given script - it doesn't work as well. Not sure what is wrong..

Code:

root@rxmaster:/etc/rsyslog.d# cat logging-files.conf 
:FROMHOST, isequal, "172.31.9.228" -/var/log/remote/rxslave-syslog
& ~
$template LoggingFiles,"/var/log/remote/%FROMHOST%/syslog"
:FROMHOST, contains, "rxslave" -?LoggingFiles
& ~

however i tried something this as the below script and it works. i think i will close this thread for now.
thanks alot !!

Code:

root@rxmaster:/etc/rsyslog.d# cat test.conf 
$template DynaFile,"/logs/rx-%HOSTNAME%-syslog"
*.* -?DynaFile

tshikose · 03-20-2018, 02:31 AM

Hi,

I am sorry, but I am not familiar with Ubuntu.
I can only guarantee you that my settings work on CentOS 7.
The OSes differences seem to be only reason.

Besides, your working version seems very similar to mine.
Did you ensure that the /var/log/remote folder existed when testing mine?

I did not explicitly mentioned it, but my settings had two filters: one for server7.example.net and the other for the rest of *.example.net.
If I remember correctly :FROMHOST contains the fully qualfied name, not IP. Read the docs to find out what contains the IP.
That can be the reason your filters do not work.

Vernicronz · 03-20-2018, 02:39 AM

Hi Tshimanga,

Don't worry so much - btw i did ensure /var/log/remote was created and owned by syslog:adm .
and i have tried :FROMHOST with hostname too , which didn't work. i am not sure why. but it's ok.
the rsyslog is really simple in redhat/centos ... but in ubuntu is not too nice. but thank you anyways.
i will check your filters on ip too