Prevent rsyslog from logging remote hosts messages to local /var/log/syslog
I use rsyslog to save logs from remote hosts to a server this way:
Server:
# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile
Clients:
*.* @servername
This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?
rsyslog
asked Feb 6 '15 at 14:34
Michael
2781413
add a comment |
I use rsyslog to save logs from remote hosts to a server this way:
Server:
# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile
Clients:
*.* @servername
This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?
rsyslog
asked Feb 6 '15 at 14:34
Michael
2781413
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41
add a comment |
I use rsyslog to save logs from remote hosts to a server this way:
Server:
# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile
Clients:
*.* @servername
This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?
rsyslog
asked Feb 6 '15 at 14:34
Michael
2781413
I use rsyslog to save logs from remote hosts to a server this way:
Server:
# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile
Clients:
*.* @servername
This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?
rsyslog
rsyslog
asked Feb 6 '15 at 14:34
Michael
2781413
asked Feb 6 '15 at 14:34
Michael
2781413
asked Feb 6 '15 at 14:34
Michael
2781413
asked Feb 6 '15 at 14:34
Michael
2781413
asked Feb 6 '15 at 14:34
Michael
2781413
2781413
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41
add a comment |
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41
1
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for
/var/log/syslog– Bratchley
Feb 6 '15 at 14:41
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for
/var/log/syslog– Bratchley
Feb 6 '15 at 14:41
add a comment |
3 Answers
3
active
oldest
votes
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
answered Mar 23 '16 at 22:43
spezticle
125127
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54543954
answered Jul 13 '17 at 17:05
Guest
1
add a comment |
You have to make sure that your new rules are evaluated before the one that logs to /var/log/syslog.
For example on Ubuntu Trusty (rsyslog 7.4.4) /etc/rsyslog.conf contains$IncludeConfig /etc/rsyslog.d/*.conf
so the default rules are loaded from /etc/rsyslog.d/50-default.conf, the one for /var/log/syslog included.
In this case you can add a new file to be loaded before that one, such as 00-remote.conf. For completeness, here's its content for a system I'm managing:
$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
:source,isequal,"NAS",-?RemoteStore
& ~
answered Dec 18 at 14:30
Joril
340315
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f183326%2fprevent-rsyslog-from-logging-remote-hosts-messages-to-local-var-log-syslog%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
answered Mar 23 '16 at 22:43
spezticle
125127
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
answered Mar 23 '16 at 22:43
spezticle
125127
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
answered Mar 23 '16 at 22:43
spezticle
125127
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
answered Mar 23 '16 at 22:43
spezticle
125127
answered Mar 23 '16 at 22:43
spezticle
125127
answered Mar 23 '16 at 22:43
spezticle
125127
answered Mar 23 '16 at 22:43
spezticle
125127
125127
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54543954
answered Jul 13 '17 at 17:05
Guest
1
add a comment |
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54543954
answered Jul 13 '17 at 17:05
Guest
1
add a comment |
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54543954
answered Jul 13 '17 at 17:05
Guest
1
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54543954
answered Jul 13 '17 at 17:05
Guest
1
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54543954
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54543954
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54543954
7,54543954
answered Jul 13 '17 at 17:05
Guest
1
answered Jul 13 '17 at 17:05
Guest
1
answered Jul 13 '17 at 17:05
Guest
1
1
add a comment |
add a comment |
You have to make sure that your new rules are evaluated before the one that logs to /var/log/syslog.
For example on Ubuntu Trusty (rsyslog 7.4.4) /etc/rsyslog.conf contains$IncludeConfig /etc/rsyslog.d/*.conf
so the default rules are loaded from /etc/rsyslog.d/50-default.conf, the one for /var/log/syslog included.
In this case you can add a new file to be loaded before that one, such as 00-remote.conf. For completeness, here's its content for a system I'm managing:
$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
:source,isequal,"NAS",-?RemoteStore
& ~
answered Dec 18 at 14:30
Joril
340315
add a comment |
You have to make sure that your new rules are evaluated before the one that logs to /var/log/syslog.
For example on Ubuntu Trusty (rsyslog 7.4.4) /etc/rsyslog.conf contains$IncludeConfig /etc/rsyslog.d/*.conf
so the default rules are loaded from /etc/rsyslog.d/50-default.conf, the one for /var/log/syslog included.
In this case you can add a new file to be loaded before that one, such as 00-remote.conf. For completeness, here's its content for a system I'm managing:
$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
:source,isequal,"NAS",-?RemoteStore
& ~
answered Dec 18 at 14:30
Joril
340315
add a comment |
You have to make sure that your new rules are evaluated before the one that logs to /var/log/syslog.
For example on Ubuntu Trusty (rsyslog 7.4.4) /etc/rsyslog.conf contains$IncludeConfig /etc/rsyslog.d/*.conf
so the default rules are loaded from /etc/rsyslog.d/50-default.conf, the one for /var/log/syslog included.
In this case you can add a new file to be loaded before that one, such as 00-remote.conf. For completeness, here's its content for a system I'm managing:
$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
:source,isequal,"NAS",-?RemoteStore
& ~
answered Dec 18 at 14:30
Joril
340315
You have to make sure that your new rules are evaluated before the one that logs to /var/log/syslog.
For example on Ubuntu Trusty (rsyslog 7.4.4) /etc/rsyslog.conf contains$IncludeConfig /etc/rsyslog.d/*.conf
so the default rules are loaded from /etc/rsyslog.d/50-default.conf, the one for /var/log/syslog included.
In this case you can add a new file to be loaded before that one, such as 00-remote.conf. For completeness, here's its content for a system I'm managing:
$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
:source,isequal,"NAS",-?RemoteStore
& ~
answered Dec 18 at 14:30
Joril
340315
answered Dec 18 at 14:30
Joril
340315
answered Dec 18 at 14:30
Joril
340315
answered Dec 18 at 14:30
Joril
340315
340315
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f183326%2fprevent-rsyslog-from-logging-remote-hosts-messages-to-local-var-log-syslog%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for
/var/log/syslog– Bratchley
Feb 6 '15 at 14:41