Solved

rsyslog - messages file ONLY local logs

Posted on 2011-03-17
4
1,159 Views
Last Modified: 2012-05-11
I have set up a remote syslog server on rhel5.  It is working great, but here is the one thing that bothers me.


it seems rsyslog created a directory for the local machine in /var/log/rsyslog and it writing the local machines logs there while /var/log/messages gets all the logs from every client.

Is there a way to keep the local logs in /var/log/messages and NOT all the clients?

BTW, all the cisco clients get their own directory in /var/log/rsyslog as well.

Hope I explained this right, I am rushing.
0
Comment
Question by:savone
  • 2
  • 2
4 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 35163179
Can you post your current config file:
/etc/rsyslog.conf
0
 
LVL 23

Author Comment

by:savone
ID: 35164494
here is my current config file:


# cat /etc/rsyslog.conf
$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress 10.0.0.4
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

*.* -?DynaFile
0
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 35164867
Your messagess are written twice - once to local (root) logs and once to subfolder log. For logging only local messages to root logs try the following code.

You must use property-based filters:
http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Note:
- only the last part of your configuration is repeated here
- that the order of the rules is important and "127.0.0.1" should be replaced with whatever your hostname is (what is the name of the subfolder in /var/log/rsyslog/ that contains your localhost messages).
- the ! negates the isequal comparison
- ~ ends the processing of rules for matched syslog events

So all messages are writen to the %HOSTNAME% subfolder. Then all events that do NOT match localhost stop processing. Localhost messages procede with additional rules.
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"
*.* -?DynaFile
:HOSTNAME, !isequal, "127.0.0.1" ~
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

Open in new window

0
 
LVL 23

Author Closing Comment

by:savone
ID: 35165754
THANKS! Great answer and the explanation is VERY much appreciated.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now