rsyslog

The rocket-fast system for log processing

How to separate log files by host name of sending device?

Question:
I have activated remote logging and receiving syslog messages from several devices. I want to write a separate log file for each device sending syslog messages. How to achieve that?

Answer:
It is pretty easy. You can use dynaFiles for it. With them, you specify a template as the file name. For each message, the filename is re-generated and the output written to the respective file. Read the config file doc for details, but it basically is:

$template DynaFile,"/var/log/system-%HOSTNAME%.log"
*.* -?DynaFile

19 thoughts on “How to separate log files by host name of sending device?

  1. For those of you nibs who have no intitive idea about what DynaFile is, then you can feel as stupid as me:

    # yum search dynafiles
    Loaded plugins: product-id, rhnplugin, subscription-manager
    Updating Red Hat repositories.
    epel/metalink | 14 kB 00:00
    epel | 4.3 kB 00:00
    epel/primary_db | 4.1 MB 00:00
    epel-debuginfo/metalink | 13 kB 00:00
    epel-debuginfo | 3.1 kB 00:00
    epel-debuginfo/primary_db | 386 kB 00:00
    epel-source/metalink | 13 kB 00:00
    epel-source | 3.3 kB 00:00
    epel-source/primary_db | 1.0 MB 00:00
    rhel-x86_64-server-6 | 1.8 kB 00:00
    rhel-x86_64-server-6/primary | 5.1 MB 00:01
    rhel-x86_64-server-6 5415/5415
    epel/pkgtags | 323 B 00:00
    Warning: No matches found for: dynafiles
    No Matches found
    #

  2. I did try this line in the rsyslog.conf at the top, but under the tcp and udp enabling lines:

    $template DynaFile,”/var/log/remotesyslog/%HOSTNAME%.log”
    *.* -?DynaFile

    rsyslog was ill aftwards :D
    Oct 6 14:45:06 iup-mgt001 rsyslogd: error: extra characters in config line ignored: ‘”/var/log/remotesyslog/%HOSTNAME%.log”’
    Oct 6 14:45:06 iup-mgt001 rsyslogd-3003: Could not find template ‘DynaFile’ – action disabled
    [try http://www.rsyslog.com/e/3003 ]
    Oct 6 14:45:06 iup-mgt001 rsyslogd: the last error occured in /etc/rsyslog.conf, line 24:"*.* -?DynaFile"
    Oct 6 14:45:06 iup-mgt001 rsyslogd: warning: selector line without actions will be discarded
    Oct 6 14:45:06 iup-mgt001 rsyslogd-2124: CONFIG ERROR: could not interpret master config file ‘/etc/rsyslog.conf’. [try http://www.rsyslog.com/e/2124 ]

    How can I install DynaFile?

    Cheers.

  3. For those stumbled here in need of SHORT SOLUTION i’ll explain a bit more properly:
    Forget this strange ‘dynafiles’: the thing is, you can define a template in rsyslog.conf, like this:

    $template TemplateName,”/var/log/xxxxx_%HOSTNAME%.log”

    and then use its name as output lines in the same file:

    if ($programname == ‘xxxxx’) \
    then -?TemplateName
    & ~

  4. P.S. and pay attention to symbol of quotes. If you copy paste from my comment change quotes to normal ones, not ‘web’ ones ;)

  5. > Replace the ” with “. ;) ?

    Means: replace fancy ” “ with plain old " (ASCII 34, UNICODE \u0022)

  6. I’m not able copy this “ character into /etc/rsyslog.conf file when i open /etc/rsyslog.conf using VI editor. it just prints .
    Can someone help please?

  7. I intend to collect logs from hosts on various vlans, some of these hosts have duplacte names under alternate domain names.

    I am seporating the logs into hostname folders, but as far as can tell, the duplicate host names are going to cause trouble.

    Is there any way to get the domain name in there somehow?

  8. Hi,

    I installed rsyslog and it runs in its defaults. In rsyslog.conf at the end I only added:
    $template DELTA,"/var/log/delta-log/%fromhost-ip%/%$YEAR%/%$MONTH%/%$DAY%/syslog-%fromhost-ip%.log"
    *.* -?DELTA

    Files are created dynamically and information being written into them but at the same time that information being duplicated into /var/log/syslog file.
    How to prevent it from duplicating and make it written only to a respective file?
    Version 7.4.4

    Thank you.

  9. Hi Sergey,

    try this way:

    template(name="DynFile" type="string" string="/var/log/remote/system-%FROMHOST-IP%.log")
    ruleset(name="RemoteDevice"){
    action(type="omfile" dynaFile="DynFile")
    }
    module(load="imudp")
    input(type="imudp" port="514" ruleset="RemoteDevice")

  10. I’m able to separate logs, but how do I apply a different format to said logs? (running RHEL5 and 6 so still legacy config)

    I indeed want the logs to be split but also to contain a specific timestamp.

    Thanks,
    Seb

  11. hi all,
    i’m a newbie with RSYSLOG and i need help.
    I receive on my server, some logs with $programme == ‘radiusN2’. I would like to redirect logs who go in "/var/log/syslog" and with $programme = ‘radiusN2’ and concerning user, toward "/var/log/radiusN2/radiusN2.log"..

    I tested this code :

    if $programme == 'radiusN2' then {
    user.* -/var/log/radiusN2/radiusN2.log
    }
    & ~

    but he didn’t work, his errors appears : Oct 8 11:23:17 dorad rsyslogd: the last error occured in /etc/rsyslog.d/radiusN2.conf, line 1:"if $programme == ‘radiusN2’ then {"
    Oct 8 11:23:17 dorad rsyslogd: warning: selector line without actions will be discarded
    Oct 8 11:23:17 dorad rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
    Oct 8 11:23:17 dorad rsyslogd: the last error occured in /etc/rsyslog.d/radiusN2.conf, line 3:"}"

    Thank in advance

  12. It looks like your version is too old to support this syntax. However, I strongly suggest to post follow-up questions to either the rsyslog mailing list or support forum, as web site comments are not suitable for troubleshooting (it would get pretty messy rapidly). In any case, you’ll get a more rapid response via the offical support channels.

  13. Hello,

    I would like to configure rsyslog if it’s possible to separate logs by the unix user that ran the program which sent the event, like if I run php with various unix users.

    /var/log/httpd/unixuser1/error.log
    /var/log/httpd/unixuser2/error.log
    /var/log/httpd/unixuser3/error.log

    Is this a possibility?
    Any help is appreciated!

    Thank you in advance,
    Mike.

  14. Hey all, I’m new to setting up rsyslog via Ubuntu. I am not seeing any messages from my remote hosts. Any ideas?

Comments are closed.