LinuxQuestions.org - [SOLVED] Syslog configuration in Redhat linux

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Syslog configuration in Redhat linux (https://www.linuxquestions.org/questions/linux-server-73/syslog-configuration-in-redhat-linux-4175448125/)

Syslog configuration in Redhat linux

I have configured syslog server in Redhat linux but now i want to create a separate file for each client who are sending logs to syslog server.

Please suggest if it is possible.

Rsyslogd (see the documentation or the rsyslogd web site wrt templates) and syslog-ng are capable of doing that but the "traditional" syslog daemon isn't.
So until you clarify which one you use the answer is "it depends" ;-p

Thanks Mate.

I am trying to configure centralized logging for VMware ESX servers on RHEL5 but facing issue in log filtering. Logs are coming to single file only.

Suppose log pattern of VMWare logs are: -

2013-02-06T17:05:35.360Z station1 vmkwarning: cpu8:2196)WARNING: NMP: vmk_NmpSatpIssueTUR:1018:Device naa.60060e80164cd50000014cd50000a210 path vmhba1:C0:T0:L16 has been unmapped from the array
2013-02-06T17:05:35.360Z station1 vmkernel: cpu8:2196)WARNING: NMP: vmk_NmpSatpIssueTUR:1018:Device naa.60060e80164cd50000014cd50000a210 path vmhba1:C0:T0:L16 has been unmapped from the array
2013-02-06T17:05:35.360Z station1 vmkwarning: cpu2:4914516)WARNING: NMP: vmk_NmpSatpIssueTUR:1018:Device naa.60060e80164cd50000014cd50000a211 path vmhba1:C0:T0:L17 has been unmapped from the array
2013-02-06T17:05:35.360Z station1 vmkernel: cpu2:4914516)WARNING: NMP: vmk_NmpSatpIssueTUR:1018:Device naa.60060e80164cd50000014cd50000a211 path vmhba1:C0:T0:L17 has been unmapped from the array
2013-02-06T17:01:07.862Z station2 Vpxa: [FFF05B90 verbose 'Default'] Set internal stats for VM: 4 (vpxa VM id), 36757 (vpxd VM id). Is FT primary? 0
2013-02-06T17:01:07.863Z station2 Vpxa: [FFF05B90 verbose 'Default'] Set internal stats for VM: 6 (vpxa VM id), 57881 (vpxd VM id). Is FT primary? 0
2013-02-07T01:42:30.200Z station2 Hostd: [63962B90 verbose 'SoapAdapter'] Responded to service state request
2013-02-07T01:42:42.627Z station2 Hostd: [63E5FB90 verbose 'DvsManager'] PersistAllDvsInfo called
2013-02-07T01:42:42.935Z station3 Hostd: [63921B90 verbose 'DvsTracker'] FetchSwitches: added 2 items

Here i want to create different file for each filter i.e.

Hostd:
vmkwarning:
vmkernel:
Vpxa:

MY syslog configuration for remote loging is

Quote:

#============================================================================================
$ModLoad imudp.so
$UDPServerRun 514

#Client logging
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

$template DYNHostd,"/var/log/remotelog/%HOSTNAME%/hostd.log"
$template DYNvmkernel,"/var/log/remotelog/%HOSTNAME%/vmkernel.log"
$template DYNvmkwarning,"/var/log/remotelog/%HOSTNAME%/vmkwarning.log"
$template DYNVpxa,"/var/log/remotelog/%HOSTNAME%/vpxa.log"
$template DYNcommonlog,"/var/log/remotelog/%HOSTNAME%/common.log"
if $source != '127.0.0.1' and $msg contains 'Hostd:' then ?DYNHostd
if $source != '127.0.0.1' and $msg contains 'vmkernel:' then ?DYNvmkernel
if $source != '127.0.0.1' and $msg contains 'vmkwarning:' then ?DYNvmkwarning
if $source != '127.0.0.1' and $msg contains 'Vpxa:' then ?DYNvpxa
if $source != '127.0.0.1' then ?DYNcommonlog

#============================================================================================

So please suggest.

Quote:

Originally Posted by sandeep_hello (Post 4887742)

Logs are coming to single file only.

So what modifications did you test to fix this? And please don't post a partial rsyslog.conf.

Actually i have not done anything to fix the issue. Just i am seeking information if someone can help me to solve my issue by suggesting parameter in my current configuration.

Currently logging is happening successfully but i want to differentiate the logs on the basis of client logs content.

Please suggest if it is possible in my rsyslog configuration

Prohibit messages from hitting the next filter with "& ~". Please confirm if that works. If it doesn't then 0) check your system logs for clues, 1) run a check (see 'man rsyslog.conf' for "-d" and "-N") and 2) post debug output and your complete /etc/rsyslog.conf and /etc/rsyslog.d/ contents.

Please find the rsyslog.conf

Quote:

$ModLoad imudp.so
$ModLoad imuxsock.so
$ModLoad imklog.so
$UDPSeverAddress *
$UDPServerRun 514

#============================================================================================
#Client logging
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

$template DYNhostd,"/var/log/remotelog/%HOSTNAME%/hostd.log"
$template DYNvmkernel,"/var/log/remotelog/%HOSTNAME%/vmkernel.log"
$template DYNvmkwarning,"/var/log/remotelog/%HOSTNAME%/vmkwarning.log"
$template DYNvpxa,"/var/log/remotelog/%HOSTNAME%/vpxa.log"
$template DYNcommonlog,"/var/log/remotelog/%HOSTNAME%/common.log"
if $source != '127.0.0.1' and $msg contains 'hostd' then ?DYNHostd
& ~
if $source != '127.0.0.1' and $msg contains 'vmkernel' then ?DYNvmkernel
& ~
if $source != '127.0.0.1' and $msg contains 'vmkwarning' then ?DYNvmkwarning
& ~
if $source != '127.0.0.1' and $msg contains 'vpxa' then ?DYNvpxa
& ~
if $source != '127.0.0.1' then ?DYNcommonlog
& ~

#============================================================================================

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

/etc/sysconfig/rsyslog

Quote:

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
#SYSLOGD_OPTIONS="-m 0"
SYSLOGD_OPTIONS=" -r -m 2"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

and debug output

Quote:

rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c3 as the first rsyslogd option.
rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 4
rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 14
rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 15
rsyslogd: Could not find template 'DYNHostd' - action disabled
[try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 22
rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ]
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200
rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock

Thanks for giving me hint and finally got the solution.

Just little change i need to perform on rsyslog.conf.

My configuration file is

Quote:

$ModLoad imudp.so
$ModLoad imuxsock.so
$ModLoad imklog.so
$UDPSeverAddress *
$UDPServerRun 514

#============================================================================================
#Client logging
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

$template DYNHostd,"/var/log/remotelog/%HOSTNAME%/hostd.log"
if $programname contains 'Hostd' then ?DYNHostd
& ~
$template DYNvmkernel,"/var/log/remotelog/%HOSTNAME%/vmkernel.log"
if $programname contains 'vmkernel' then ?DYNvmkernel
& ~
$template DYNvmkwarning,"/var/log/remotelog/%HOSTNAME%/vmkwarning.log"
if $programname contains 'vmkwarning' then ?DYNvmkwarning
& ~
$template DYNvpxa,"/var/log/remotelog/%HOSTNAME%/vpxa.log"
if $programname contains 'Vpxa' then ?DYNvpxa
& ~
$template DYNcommonlog,"/var/log/remotelog/%HOSTNAME%/common.log"
if $source != '127.0.0.1' then ?DYNcommonlog
& ~

#============================================================================================

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log