This is a log-consolidation scenario. There exist at least two systems, a server and at least one client. The server is meant to gather log data from all the clients. Clients may (or may not) process and store messages locally. If they do, doesn’t matter here. See recipe Sending Messages to a Remote Syslog Server for how to configure the clients.
Messages from remote hosts in the 192.0.1.x network shall be written to one file and messages from remote hosts in the 192.0.2.x network shallbe written to another file.
Things to think about
TCP recpetion is not a build-in capability. You need to load the imtcp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top.
Note that the server port address specified in $InputTCPServerRun must match the port address that the clients send messages to.
Config Statements
$ModLoad imtcp
$InputTCPServerRun 10514
# do this in FRONT of the local/regular rules
if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log
& ~
# local/regular rules, like
*.* /var/log/syslog.log
How it works
It is important that the rules processing the remote messages come before any rules to process local messages. The if’s above check if a message originates on the network in question and, if so, writes them to the appropriate log. The next line (“& ~”) is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.
Also note that in the filter there is a dot after the last number in the IP address. This is important to get reliable filters. For example, both of the addresses “192.0.1.1” and “192.0.10.1” start with “192.0.1” but only one actually starts with “192.0.1.”!
[...] to record messages from remote systems to files different from the local system, please see recipe Storing Messages from a Remote System into a specific File for a potential [...]
Hi,
How can one have the receiving rsyslog server store the incoming message into a file based on the incoming message’s IP address, without having to create a new “if $fromhost-ip startswith ‘10.20.4.5.’ then /var/log/10.20.4.5.log” each time.
If it were automatic, then the individual files would be created automatically. When a new system is added or deleted one does not have to modify the rsyslog.conf file (because everyone forgets). With about 750 servers, this starts to be a little tedious :(
Cheers.s
Hi sdds,
You can achieve per host log file by using ‘template’ as follows:
$template PerHostLog,”/var/log/%HOSTNAME%.log”
if $fromhost-ip startswith ‘192.0.1.’ then -?PerHostLog
& ~
Cheers.
http://rsyslog.com/config-snippets/the-recipies/more-complex-scenarios/ shows a different method of routing remote syslog message to a separate file by binding the TCP and UDP ports to a ruleset. Which method is preferred? In my specific scenario, I want to log messages from a piece of test equipment to a separate file to keep them from contaminating my workstations legitimate log files. My workstation did not previously have TCP or UDP on, and won’t receive any “real” syslog message over the network.
This syntax does not work with rsyslog 5.8.6 that ships with the widely used Debian Squeeze distrobution.
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$template HostBasedLog,”/var/log/%HOSTNAME%.log”
if $fromhost-ip isequal ‘192.168.22.1′ then -?HostBasedLog
& ~
if $fromhost-ip isequal ‘192.168.22.2′ then -?HostBasedLog
& ~
Causes syntax errors on those two lines “syntax error in expression”
the last error occured in /etc/rsyslog.conf, line 26:”if $fromhost-ip isequal ‘192.168.22.2′ then -?HostBasedLog”
Did you use different types of quote characters? At least in the comment it looks so.