Hi,
I've setup a rsyslog server to accept logging from remote servers. The logs should then go in /var/log/hosts/<hostname>. All that works fine. However, due to some strange behavior I had to create some templates to get the hostname right in some cases.
That works fine as well, if it were not that these messages are also sent to the root filesystem. In /etc/rsyslog.d/remote.conf I have this:
Code:
# Template for split VMWare messages
template(name="VMWare" type="list") {
property(name="timereported")
constant(value=" ")
property(name="msg" position.from="1" position.to="10")
constant(value=" ")
property(name="msg" position.from="18")
}
# Template for messages getting hostname Section from VMWare
template(name="VMWareSection" type="list") {
property(name="timereported")
constant(value=" ")
property(name="msg" position.from="18" position.to="27")
constant(value=" ")
property(name="msg")
}
# Als de lengte van de hostname de maximale lengte is dan gebruik het VMWare template...
if re_match($hostname, "^.{24}") then
{
?VMWare
stop
}
if re_match($hostname, "[a-z0-9]*-[a-z0-9]*-[a-z0-9]*-[a-z0-9]*") then
{
?VMWare
stop
}
if ($hostname == "NoneZ") then
{
?VMWare
stop
}
if ($hostname == "Section") then
{
?VMWareSection
stop
}
$template RemoteLogs,"/var/log/hosts/%SOURCE%/%syslogfacility-text%"
if ($fromhost-ip != "127.0.0.1" ) then ?RemoteLogs
& stop
And then I the root filesystem I get things like this:
Code:
Jun 2 13:12:54 Vpxa: 0b5
Jun 2 13:13:04 Vpxa: 0b5
Jun 2 13:13:12 Vpxa: b2b
Jun 2 13:15:01 hrl-101.lo VMware ESX, vm-hrl-101.lokaal hostd-probe: id=40902736, version=5.1.0, build=3872664, option=Release
Jun 2 13:15:02 hrl-005.lo VMware ESX, vm-hrl-005.lokaal hostd-probe: id=62239497, version=5.1.0, build=3872664, option=Release
Jun 2 13:15:02 hrl-006.lo VMware ESX, vm-hrl-006.lokaal hostd-probe: id=71945765, version=5.1.0, build=3872664, option=Release
Jun 2 13:15:02 hrl-007.lo VMware ESX, vm-hrl-007.lokaal hostd-probe: id=67139175, version=5.1.0, build=3872664, option=Release
Jun 2 13:15:02 hsz-004.lo VMware ESX, vm-hsz-004.lokaal hostd-probe: id=45838836, version=5.1.0, build=3872664, option=Release
Jun 2 13:15:02 hsz-006.lo VMware ESX, vm-hsz-006.lokaal hostd-probe: id=66397427, version=5.1.0, build=3872664, option=Release
These are actually (part of) the content the two templates VMWare and VMWareSection handle. For me I'd be happy if I could just manage to stop rsyslog from sending these messages to the root filesystem and just discard them.
I'm running on SLES15 SP1 with rsyslog 8.33.1:
Code:
rsyslogd -version
rsyslogd 8.33.1, compiled with:
PLATFORM: x86_64-suse-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Number of Bits in RainerScript integers: 64