At my workplace, we decided to create two configurations: one for the syslog clients and another for the central syslog server. To simplify things, we wanted the client configuration to be applied to all machines - including the server. This means there are two rsyslog instances running on the server.
I've written custom init scripts and configurations so there should be no conflicts or problems, but there is. In the client config, there are the standard lines for filtering into files in /var/log/ by facility. At the very bottom, there is this line:
Code:
*.* @@ip.of.server
This set up seems to work fine on all other machines - logs are both kept locally and forwarded to the server. However, on the server, logs are only kept in /var/log/ and not forwarded to itself, as I expected.
I would like it to forward to itself so we can be sure all logs for all our machines are in one place. Checking netstat output, I only see the server process communicating with clients on other machines, while the client instance on the server machine doesn't try to connect at all. I've tried using the hostname, the LAN IP, and 127.0.0.1, but nothing works.
On the server, I'm using rsyslog version 3.14.1 packaged for Fedora on a CentOS machine (there are no rsyslog packages for CentOS 5 yet). For clients, some are running CentOS with the same package, and there is also a Debian Lenny machine running 3.14.2 (from the official Debian repositories).
So, is this a bug in rsyslog? Or is it to prevent loops, or something? Or have I configured something incorrectly? Here are my config files:
For client:
Code:
# Local /dev/log kernel messages logging
$ModLoad imuxsock.so
$ModLoad imklog.so
# Based on CentOS's syslog.conf for sysklogd
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Send everything to central syslog server via TCP
*.* @@10.224.42.42
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
and for server. A note about the server config: I have it running as the non-root user "rsyslog" listening on port 1514. I have iptables rules forwarding messages from port 514 to 1514.
Code:
# run TCP and UDP listeners on port 1514
$ModLoad imtcp.so
$InputTCPServerRun 1514
$ModLoad imudp.so
$UDPServerRun 1514
$DirCreateMode 0775
$DirOwner rsyslog
$DirGroup rsyslog
$FileCreateMode 0664
$FileOwner rsyslog
$FileGroup rsyslog
# Based on CentOS's syslog.conf for sysklogd
# Remote files
$template remote-messages,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/messages-%$NOW%"
$template remote-secure,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/secure-%$NOW%"
$template remote-maillog,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/maillog-%$NOW%"
$template remote-cron,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/cron-%$NOW%"
$template remote-spooler,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/spooler-%$NOW%"
$template remote-bootlog,"/var/rsyslog-remote/%HOSTNAME%/%$YEAR%/%$MONTH%/boot.log-%$NOW%"
*.info;mail.none;authpriv.none;cron.none ?remote-messages
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
Any help would be much appreciated!  |
FAQ
Search
Register
Log in to check your private messages
Log in
Maximize
