[SOLVED] RSYSLOG weird behavior

TheChosenOne · 2014-03-13 14:36:50

Hi

I manage a bunch of servers which are all reachable between each other. I set up remote forwarding for rsyslog on one server. To a certain remote server. I sort them by ip ($template FILENAME,"/var/log/%fromhost-ip%/syslog.log").
Now I get messages from other servers too, although I did not set that up .

Another question. I have the next rule:

$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"

which puts everything under "syslog.log". I don't want this. I want to have the same division like locally (faillog, maillog, ...).

Last edited by TheChosenOne (2014-03-22 20:56:28)

TheChosenOne · 2014-03-16 23:16:38

One problem is solved. Apparently you have to edit /etc/rsyslog.d/50-default.conf for the sort of messages you want to receive. All the servers are listed now.
Still, everything is put in a single file...

Rexilion · 2014-03-17 07:15:59

I have not used rsyslog in a looong time since I migrated to rsyslog SystemD. But here goes:

man rsyslog.conf wrote:

For example, if you
would like to split syslog messages from different hosts to
different files (one per host), you can define the following
template:
$template DynFile,"/var/log/system-%HOSTNAME%.log"
This template can then be used when defining an output
selector line. It will result in something like
"/var/log/system-localhost.log"

As for the priorities/facilities you can use %syslogpriority% and %syslogfacility% to do this. So, something like this:

$template DynFile,"/var/log/%fromhost-ip%/%syslogfacility%-%syslogpriority%.log"

I'm not sure if rsyslog will automatically create directories. You might have to use:

$template DynFile,"/var/log/%fromhost-ip%-%syslogfacility%-%syslogpriority%.log"

If the above does not work.

Last edited by Rexilion (2014-03-21 05:27:15)

x33a · 2014-03-17 09:48:19

Rexilion wrote:

I have not used rsyslog in a looong time since I migrated to rsyslog.

You mean systemd, right?

Rexilion · 2014-03-17 12:04:43

x33a wrote:

Rexilion wrote:
I have not used rsyslog in a looong time since I migrated to rsyslog.
You mean systemd, right?

lol, yeah. Didn't have my morning coffee yet.

TheChosenOne · 2014-03-20 22:58:45

Rexilion wrote:

As for the priorities/facilities you can use %syslogpriority% and %syslogfacility% to do this. So, something like this:
$template DynFile,"/var/log/%fromhost-ip%/%syslogfacility%-%syslogpriority%.log"
I'm not sure if rsyslog will automatically create directories. You might have to use:
$template DynFile,"/var/log/%fromhost-ip%-%syslogfacility%-%syslogpriority%.log"
If the above does not work.

Thanks for your reply!

The folders are created automatically, but you have to 'chown syslog:adm' on the folder.
The solution for the facilities works, but now I have files like 10-6, 1-1, 2-6, 3-2, 3-5, 3-6 and 9-6. Is there a way to have 'real' names?

Thanks.

Edit: The folders aren't generated automatically. I follow

$template DynFile,"/var/log/remote/%fromhost%/syslog"

and chown syslog:adm on the 'remote' folder. All 'fromhost' subfolders are generated automatically.

Last edited by TheChosenOne (2014-03-22 14:09:12)

Rexilion · 2014-03-21 05:26:34

Yeah, you can suffix them with '-text'. Btw, there is a manpage here so you can see yourself. It's quite powerful.

TheChosenOne · 2014-03-22 14:14:36

Rexilion wrote:

Yeah, you can suffix them with '-text'. Btw, there is a manpage here so you can see yourself. It's quite powerful.

Thanks! It works completely now! This is the result:

$template TEMPLATE,"/var/log/remote/%fromhost%/%syslogfacility-text%"

Arch Linux

#1 2014-03-13 14:36:50

[SOLVED] RSYSLOG weird behavior

#2 2014-03-16 23:16:38

Re: [SOLVED] RSYSLOG weird behavior

#3 2014-03-17 07:15:59

Re: [SOLVED] RSYSLOG weird behavior

#4 2014-03-17 09:48:19

Re: [SOLVED] RSYSLOG weird behavior

#5 2014-03-17 12:04:43

Re: [SOLVED] RSYSLOG weird behavior

#6 2014-03-20 22:58:45

Re: [SOLVED] RSYSLOG weird behavior

#7 2014-03-21 05:26:34

Re: [SOLVED] RSYSLOG weird behavior

#8 2014-03-22 14:14:36

Re: [SOLVED] RSYSLOG weird behavior

Board footer