12

I use rsyslog to save logs from remote hosts to a server this way:

Server:

# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile

Clients:

*.* @servername

This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?

Michael
  • 1,583
  • 3
  • 13
  • 19
  • 1
    You'll want to look into [property based filters](http://www.rsyslog.com/doc/rsyslog_conf_filter.html) since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for `/var/log/syslog` – Bratchley Feb 06 '15 at 14:41

4 Answers4

5

You have to make sure that your new rules are evaluated before the one that logs to /var/log/syslog.
For example on Ubuntu Trusty (rsyslog 7.4.4) /etc/rsyslog.conf contains
$IncludeConfig /etc/rsyslog.d/*.conf
so the default rules are loaded from /etc/rsyslog.d/50-default.conf, the one for /var/log/syslog included.

In this case you can add a new file to be loaded before that one, such as 00-remote.conf. For completeness, here's its content for a system I'm managing:

$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
:source,isequal,"NAS",-?RemoteStore
& ~
Joril
  • 568
  • 7
  • 17
  • This is the only thing that worked for me. I had to rename my configurations so that they are processed before `50-default.conf`. For example, to ensure rules in `/etc/rsyslog.d/53-firewall.conf` don't end up in syslog, I simply renamed it to `/etc/rsyslog.d/49-firewall.conf` and restarted rsyslog. – Jim Walker Apr 17 '22 at 05:58
4

Here is what works for me:

## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg,  "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then  ?TempMsg
& ~
Anthony Geoghegan
  • 12,605
  • 7
  • 59
  • 62
Guest
  • 41
  • 2
2

I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.

$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%\n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop

The above 4 lines are in the top most section of my /etc/rsyslog.conf file

I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and /var/log/syslog

as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.

parsecpython
  • 185
  • 1
  • 2
  • 11
  • Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog – Michael Mar 29 '16 at 08:41
  • The `:fromhost-ip , !isequal , "127.0.0.1" stop` line, in combination with making sure our remote logging rules in `/etc/rsyslog.d/` are executed first (see other answers here), fixed the problem for me. – Ferry Boender May 19 '23 at 07:00
0

For the newer version, The below code fixed the issue.

input(type="imudp" port="514" ruleset="remote")
ruleset(name="remote"){
    $template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
    if ($fromhost-ip != "127.0.0.1") then -?DynaFile
}
Niyaz
  • 117
  • 6