Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1891
  • Last Modified:

rsyslog - messages file ONLY local logs

I have set up a remote syslog server on rhel5.  It is working great, but here is the one thing that bothers me.


it seems rsyslog created a directory for the local machine in /var/log/rsyslog and it writing the local machines logs there while /var/log/messages gets all the logs from every client.

Is there a way to keep the local logs in /var/log/messages and NOT all the clients?

BTW, all the cisco clients get their own directory in /var/log/rsyslog as well.

Hope I explained this right, I am rushing.
0
savone
Asked:
savone
  • 2
  • 2
1 Solution
 
BlazCommented:
Can you post your current config file:
/etc/rsyslog.conf
0
 
savoneAuthor Commented:
here is my current config file:


# cat /etc/rsyslog.conf
$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress 10.0.0.4
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

*.* -?DynaFile
0
 
BlazCommented:
Your messagess are written twice - once to local (root) logs and once to subfolder log. For logging only local messages to root logs try the following code.

You must use property-based filters:
http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Note:
- only the last part of your configuration is repeated here
- that the order of the rules is important and "127.0.0.1" should be replaced with whatever your hostname is (what is the name of the subfolder in /var/log/rsyslog/ that contains your localhost messages).
- the ! negates the isequal comparison
- ~ ends the processing of rules for matched syslog events

So all messages are writen to the %HOSTNAME% subfolder. Then all events that do NOT match localhost stop processing. Localhost messages procede with additional rules.
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"
*.* -?DynaFile
:HOSTNAME, !isequal, "127.0.0.1" ~
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

Open in new window

0
 
savoneAuthor Commented:
THANKS! Great answer and the explanation is VERY much appreciated.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now