Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
Templates and Separating Logs
rsyslog at lists
Sep 28, 2023, 5:15 PM
Post #1 of 2 (101 views)
Permalink
I hope this is the correct list to send questions to, I have not needed
support on rsyslog in 7 years.

INFO (as the basis for my question)
I have six (6) RHEL7 systems on a network that I need to setup logging
forwarding from five(5) *clients* over to the last (1) *server*.

I have the following ROLE {server, client} and Hostnames to list:

SERVER: 'a8-ytb-dev001'

CLIENT: 'a8-ansi-w00' (not a type, compared the following two)
CLIENT: 'a8-ansi-w001'
CLIENT: 'a8-ansi-w002'
CLIENT: 'a8-ansi-d001'
CLIENT: 'a8-ansi-d002'

On all of the clients, in the /etc/rsyslog.configuration file I have added
the syntax at the bottom of the file:

**.* @@192.168.2.225:514*

On the server, in the /etc/rsyslog.conf configuration file I do have in
place the following:

*module(load="imtcp")*
*input(type="imtcp" port="514")*

*$template CATC,"/var/log/REMOTE/%HOSTNAME%.log"*
*$template SECU,"/var/log/REMOTE/%HOSTNAME%/secure"*
*$template MESG,"/var/log/REMOTE/%HOSTNAME%/messages"*

I also have the following below these lines...

*if $fromhost contains 'a8-ansi-d00' then {*
* authpriv.*
-?SECU*
* *.info;mail.none;authpriv.none;cron.none -?MESG*
* & stop*
*}*

*if $fromhost-ip != '127.0.0.1' then {*
* :hostname, !contains, "a8-ansi-d00" ~*
* *.*
-?CATC*
* & stop*
*}*

*I have two goals:*

1. Get the hosts with hostnames 'a8-ansi-d001' and 'a8-ansi-d002' to
log both *authpriv.** to "secure", and
**.info;mail.none;authpriv.none;cron.none* to "messages."
2. Get all other hosts regardless of hostname string pattern to log i*nto
a single file* based on the CATC template (into
/var/log/REMOTE/%HOSTNAME%.log).


*Issues I am experiencing:*

1. I have been able to accomplish goal#1 but with a minor issue. The
issue is that after after every reboot of either (or both) of the
'a8-ansi-d00*' hostname pattern I end up with a file in
/var/log/REMOTE/a8-ansi-d001/log (for a specific example) and also into
/var/log/REMOTE/%HOSTNAME%/secure (and messages). So I am getting data
logged into both places which is not wanted.
2. Furthermore, none of the other hosts have a
/var/log/REMOTE/%HOSTNAME%.log generated after their namesakes, or at all.
This is not accomplishing my goal#2.


Can I get some help, please?


--------------------------
Warron French
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Templates and Separating Logs [ In reply to ]
rsyslog at lists
Sep 28, 2023, 5:26 PM
Post #2 of 2 (101 views)
Permalink
the first thing I would suggest is to stop mixing sytax types (I may have been
incorrect here in piecing the config back together from the mangling in the
mail)

if $fromhost contains 'a8-ansi-d00' then {
authpriv.* -?SECU
*.info;mail.none;authpriv.none;cron.none -?MESG
& stop
}

note that this stop only applies if it matches the ?MESG destinef iles, not the
SECU destined files

also note that - on the output is meaningless, all output through rsyslog is
async

if $fromhost-ip != '127.0.0.1' then {
:hostname, !contains, "a8-ansi-d00" ~
*.* -?CATC
& stop
}

here you use an if, then you use an old style condition, then you use ~ and
elsewhere you use stop, both the CATC and the stop lines are unconditional (*.*
matches everything, and & in the line after that matches *.*. you can leave out
the */* and just have a line that read ?CATC and it will be the same as your
current CATC line)

re-write everything using if...then syntax and I think it will be more obvious
what is going wrong

David Lang



On Thu, 28 Sep 2023, warron.french via rsyslog wrote:

> I hope this is the correct list to send questions to, I have not needed
> support on rsyslog in 7 years.
>
> INFO (as the basis for my question)
> I have six (6) RHEL7 systems on a network that I need to setup logging
> forwarding from five(5) *clients* over to the last (1) *server*.
>
> I have the following ROLE {server, client} and Hostnames to list:
>
> SERVER: 'a8-ytb-dev001'
>
> CLIENT: 'a8-ansi-w00' (not a type, compared the following two)
> CLIENT: 'a8-ansi-w001'
> CLIENT: 'a8-ansi-w002'
> CLIENT: 'a8-ansi-d001'
> CLIENT: 'a8-ansi-d002'
>
> On all of the clients, in the /etc/rsyslog.configuration file I have added
> the syntax at the bottom of the file:
>
> **.* @@192.168.2.225:514*
>
> On the server, in the /etc/rsyslog.conf configuration file I do have in
> place the following:
>
> *module(load="imtcp")*
> *input(type="imtcp" port="514")*
>
> *$template CATC,"/var/log/REMOTE/%HOSTNAME%.log"*
> *$template SECU,"/var/log/REMOTE/%HOSTNAME%/secure"*
> *$template MESG,"/var/log/REMOTE/%HOSTNAME%/messages"*
>
> I also have the following below these lines...
>
> *if $fromhost contains 'a8-ansi-d00' then {*
> * authpriv.*
> -?SECU*
> * *.info;mail.none;authpriv.none;cron.none -?MESG*
> * & stop*
> *}*
>
> *if $fromhost-ip != '127.0.0.1' then {*
> * :hostname, !contains, "a8-ansi-d00" ~*
> * *.*
> -?CATC*
> * & stop*
> *}*
>
> *I have two goals:*
>
> 1. Get the hosts with hostnames 'a8-ansi-d001' and 'a8-ansi-d002' to
> log both *authpriv.** to "secure", and
> **.info;mail.none;authpriv.none;cron.none* to "messages."
> 2. Get all other hosts regardless of hostname string pattern to log i*nto
> a single file* based on the CATC template (into
> /var/log/REMOTE/%HOSTNAME%.log).
>
>
> *Issues I am experiencing:*
>
> 1. I have been able to accomplish goal#1 but with a minor issue. The
> issue is that after after every reboot of either (or both) of the
> 'a8-ansi-d00*' hostname pattern I end up with a file in
> /var/log/REMOTE/a8-ansi-d001/log (for a specific example) and also into
> /var/log/REMOTE/%HOSTNAME%/secure (and messages). So I am getting data
> logged into both places which is not wanted.
> 2. Furthermore, none of the other hosts have a
> /var/log/REMOTE/%HOSTNAME%.log generated after their namesakes, or at all.
> This is not accomplishing my goal#2.
>
>
> Can I get some help, please?
>
>
> --------------------------
> Warron French
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal