Topic: FAQ

Question:
I have activated remote logging and receiving syslog messages from several devices. I want to write a separate log file for each device sending syslog messages. How to achieve that?

Answer:
It is pretty easy. You can use dynaFiles for it. With them, you specify a template as the file name. For each message, the filename is re-generated and the output written to the respective file. Read the config file doc for details, but it basically is:

$template DynaFile,"/var/log/system-%HOSTNAME%.log"
*.* -?DynaFile

Rsyslog supports writing to the database. Like with log files, the rsyslogd writes the data, but does not delete (or export) it. If you need the data only for a period of time, simply deleting excess data might be a workable solution.

Below are some examples how this can be done (thanks to Michael Meckelein for posting this in the forum):

You can start a script via cron job, e. g.

mysql -u database-userid -pdatabase-password -e "truncate table SystemEvents" database-name

to delete all data or like

mysql -u database-userid -pdatabase-password -e "DELETE FROM SystemEvents WHERE ReceivedAt < date_add(current_date, interval -1 day)" database-name

to delete data older than one day.

Rsyslog support RFC3195 RAW and COOKED. The COOKED profile does not support PATH elements, but there is also currently no sender known to use them.

Bennett Todd has just alerted me of some problems with the new release. In short: the build process seems not to work at all (nor does the install do).

This is actually a documentation issue. The way of compiling rsyslog has changed slightly but importantly. You need to CD into an distribution-specific subdirectory (use linux of in doubt) and then call make. Do NOT do this in the root directory of the rsyslog project.

Question:
I have a number of syslog clients behind a NAT device. The receiver receives syslog messages that travelled over the NAT device. This leads the receiver to believe that all messages originated from the same IP address. With stock syslogd, I can not differentiate between the senders. Is there any way to record the correct sender of the message with rsyslog?


Answer:
OK, I've now had some real lab time. The good news in short: if you use rsyslog both on the senders as well as on the receiver, you do NOT have any problems with NAT.

To double-check (and out of curiosity), I also tried with stock syslogd. I used the ones that came with RedHat and FreeBSD. Neither of them reports the sending machine correctly, they all report the NAT address. Obviously, this is what made this thread appear, but it is a good verification for the correctness of my lab.