This is a log-consolidation scenario. There exist at least two systems, a server and at least one client. The server is meant to gather log data from all the clients. Clients may (or may not) process and store messages locally. If they do, doesn’t matter here. See recipe Sending Messages to a Remote Syslog Server for how to configure the clients.
Messages from remote hosts in the 192.0.1.x network shall be written to one file and messages from remote hosts in the 192.0.2.x network shallbe written to another file.
Things to think about
TCP recpetion is not a build-in capability. You need to load the imtcp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top.
Note that the server port address specified in $InputTCPServerRun must match the port address that the clients send messages to.
Config Statements
$ModLoad imtcp
$InputTCPServerRun 10514
# do this in FRONT of the local/regular rules
if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log
& ~
# local/regular rules, like
*.* /var/log/syslog.log
How it works
It is important that the rules processing the remote messages come before any rules to process local messages. The if’s above check if a message originates on the network in question and, if so, writes them to the appropriate log. The next line (“& ~”) is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.
Also note that in the filter there is a dot after the last number in the IP address. This is important to get reliable filters. For example, both of the addresses “192.0.1.1” and “192.0.10.1” start with “192.0.1” but only one actually starts with “192.0.1.”!
[...] to record messages from remote systems to files different from the local system, please see recipe Storing Messages from a Remote System into a specific File for a potential [...]
Hi,
How can one have the receiving rsyslog server store the incoming message into a file based on the incoming message’s IP address, without having to create a new “if $fromhost-ip startswith ’10.20.4.5.’ then /var/log/10.20.4.5.log” each time.
If it were automatic, then the individual files would be created automatically. When a new system is added or deleted one does not have to modify the rsyslog.conf file (because everyone forgets). With about 750 servers, this starts to be a little tedious :(
Cheers.s
Hi sdds,
You can achieve per host log file by using ‘template’ as follows:
$template PerHostLog,”/var/log/%HOSTNAME%.log”
if $fromhost-ip startswith ’192.0.1.’ then -?PerHostLog
& ~
Cheers.
http://rsyslog.com/config-snippets/the-recipies/more-complex-scenarios/ shows a different method of routing remote syslog message to a separate file by binding the TCP and UDP ports to a ruleset. Which method is preferred? In my specific scenario, I want to log messages from a piece of test equipment to a separate file to keep them from contaminating my workstations legitimate log files. My workstation did not previously have TCP or UDP on, and won’t receive any “real” syslog message over the network.
This syntax does not work with rsyslog 5.8.6 that ships with the widely used Debian Squeeze distrobution.
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$template HostBasedLog,”/var/log/%HOSTNAME%.log”
if $fromhost-ip isequal ’192.168.22.1′ then -?HostBasedLog
& ~
if $fromhost-ip isequal ’192.168.22.2′ then -?HostBasedLog
& ~
Causes syntax errors on those two lines “syntax error in expression”
the last error occured in /etc/rsyslog.conf, line 26:”if $fromhost-ip isequal ’192.168.22.2′ then -?HostBasedLog”
Did you use different types of quote characters? At least in the comment it looks so.
Stefan,
That syntax works for me on a Debian 6.0.3 box.
With Debian Squeeze (currently at 6.0.4) you get this rsyslog:
ii rsyslog 4.6.4-2 enhanced multi-threaded syslogd
Can that be the cause?
Hi, is there any ways to strip the starting part of every line in the log file from a remote system.
I configure it in my system, but every line in the logs has a heading part that goes: “Mar 7 10:22:20 hostname (service): ” and that’s killing my log analyzers scripts. Does anyone knows how to remove that ?
Thxsx in advance
Just use a custom template. The template should only consist of the msg property. Here is more information on that topic: http://www.rsyslog.com/doc/rsyslog_conf_templates.html
[...] etc) I am ready to configure Rsyslog. I found what looked like the perfect configuration example, “Storing messages from a remote system into a specific file”, but it requires me to hard code a bit too much information in the configuration file for my taste. [...]
I had more success using == instead of isequal.
This seems to be working the best for me
$template PerHostLog,”/var/log/cisco/%HOSTNAME%.log”
if $fromhost-ip != ’127.0.0.1′ then -?PerHostLog
& ~
I also tried the following, but
$template PerHostLog,”/var/log/cisco/%HOSTNAME%.log”
if $fromhost-ip != ’127.0.0.1′ then -?PerHostLog
& ~
ignore the last part of that comment
While using the below configuration:
$template RemoteHost,”/var/log/remote_host_logs/%HOSTNAME%.log”
$RuleSet remote
if $fromhost-ip != ’127.0.0.1′ then -?RemoteHost
& ~
$InputTCPServerBindRuleset remote
I am running rsyslog both in TCP and UDP on different ports.
I can get logs from the remote hosts/devices to their separate log-files, but somehow the log messages from the local system stopped getting generated. After adding the above lines I can not see any log generated for the local system in /var/log/syslog. Can any one please help?
There is another syntax which avoids the use of “if” entirely:
:HOSTNAME, isequal, “REMOTE_HOSTNAME” /var/log/REMOTE_HOSTNAME.log
& ~
Replace REMOTE_HOSTNAME with your remote hosts name…
You can use any rsyslog property name, e.g. HOSTNAME, FROMHOST, etc.
I think you also can combine this with the template approach.
but if i want to redir like this ?
:FROMHOST-IP, isequal, “10.0.0.10” | @10.251.115.20
this works :)
if $hostname startswith ‘hostname’ and $syslogseverity <= 3 then | @10.251.115.20