Solved

rsyslog - messages file ONLY local logs

Posted on 2011-03-17
4
1,368 Views
Last Modified: 2012-05-11
I have set up a remote syslog server on rhel5.  It is working great, but here is the one thing that bothers me.


it seems rsyslog created a directory for the local machine in /var/log/rsyslog and it writing the local machines logs there while /var/log/messages gets all the logs from every client.

Is there a way to keep the local logs in /var/log/messages and NOT all the clients?

BTW, all the cisco clients get their own directory in /var/log/rsyslog as well.

Hope I explained this right, I am rushing.
0
Comment
Question by:savone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 35163179
Can you post your current config file:
/etc/rsyslog.conf
0
 
LVL 23

Author Comment

by:savone
ID: 35164494
here is my current config file:


# cat /etc/rsyslog.conf
$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress 10.0.0.4
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

*.* -?DynaFile
0
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 35164867
Your messagess are written twice - once to local (root) logs and once to subfolder log. For logging only local messages to root logs try the following code.

You must use property-based filters:
http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Note:
- only the last part of your configuration is repeated here
- that the order of the rules is important and "127.0.0.1" should be replaced with whatever your hostname is (what is the name of the subfolder in /var/log/rsyslog/ that contains your localhost messages).
- the ! negates the isequal comparison
- ~ ends the processing of rules for matched syslog events

So all messages are writen to the %HOSTNAME% subfolder. Then all events that do NOT match localhost stop processing. Localhost messages procede with additional rules.
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"
*.* -?DynaFile
:HOSTNAME, !isequal, "127.0.0.1" ~
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

Open in new window

0
 
LVL 23

Author Closing Comment

by:savone
ID: 35165754
THANKS! Great answer and the explanation is VERY much appreciated.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Fine Tune your automatic Updates for Ubuntu / Debian
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question