Solved

rsyslog - messages file ONLY local logs

Posted on 2011-03-17
4
1,278 Views
Last Modified: 2012-05-11
I have set up a remote syslog server on rhel5.  It is working great, but here is the one thing that bothers me.


it seems rsyslog created a directory for the local machine in /var/log/rsyslog and it writing the local machines logs there while /var/log/messages gets all the logs from every client.

Is there a way to keep the local logs in /var/log/messages and NOT all the clients?

BTW, all the cisco clients get their own directory in /var/log/rsyslog as well.

Hope I explained this right, I am rushing.
0
Comment
Question by:savone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 35163179
Can you post your current config file:
/etc/rsyslog.conf
0
 
LVL 23

Author Comment

by:savone
ID: 35164494
here is my current config file:


# cat /etc/rsyslog.conf
$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress 10.0.0.4
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

*.* -?DynaFile
0
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 35164867
Your messagess are written twice - once to local (root) logs and once to subfolder log. For logging only local messages to root logs try the following code.

You must use property-based filters:
http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Note:
- only the last part of your configuration is repeated here
- that the order of the rules is important and "127.0.0.1" should be replaced with whatever your hostname is (what is the name of the subfolder in /var/log/rsyslog/ that contains your localhost messages).
- the ! negates the isequal comparison
- ~ ends the processing of rules for matched syslog events

So all messages are writen to the %HOSTNAME% subfolder. Then all events that do NOT match localhost stop processing. Localhost messages procede with additional rules.
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"
*.* -?DynaFile
:HOSTNAME, !isequal, "127.0.0.1" ~
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

Open in new window

0
 
LVL 23

Author Closing Comment

by:savone
ID: 35165754
THANKS! Great answer and the explanation is VERY much appreciated.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question