Reputation: 109
Rsyslog central logging separate local logs
I have an Rsyslog central server where multiple machine send log files and these log files are stored by machine IP.
$template DailyPerHostLogs,"/var/log/remote/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
*.* -?DailyPerHostLogs
This works fine however all the logs gets into the logmachines central logs as well like:
/var/log/messages
/var/log/auth
/var/log/cron
What is the best way to stop this from happening?
Thanks
Upvotes: 4
Views: 4725
Answers (3)
Reputation: 2007
Each of your inputs (instances of imtcp, imudp, etc.) is configured with a ruleset.
If you don't specify a ruleset, the default is RSYSLOG_DefaultRuleset; this is the ruleset to which actions in the main section of the configuration file are added.
If you do specify a ruleset then messages from the input are processed by the specified ruleset instead of RSYSLOG_DefaultRuleset.
Using the more readable RainerScript syntax rather than the legacy syntax), you can do this:
input(type="imudp" port="514" ruleset="remote_store")
ruleset(name="remote_store") {
*.* action(type="omfile" dynaFile="DailyPerHostLogs" sync="off")
}
Now messages from local programs (read via imuxsock, imjournal, etc.) will continue to go to the default ruleset, and messages from the network will go to the remote_store ruleset; the two rulesets are wholly separate.
If you want to stick with the legacy syntax, I believe you can put $Ruleset remote_store before your action line, but beware that this sets the ruleset for all subsequent actions as well, so you need to be much more careful with ordering your configuration file than with RainerScript syntax.
Upvotes: 1
Reputation: 109
Solved it, have to put the remote log acception rule first then this:
## before going to local log rules, drop remote logging, it's been
## processed in the "central logging" section
#
:hostname, !isequal, "biglogserver" ~
Then rest of the rsyslog.conf
Upvotes: 3
Reputation: 64563
If I understood your question right, you won't save the logs locally on the machines.
To do that you must remove from /etc/syslog.conf all the lines that describe local log files, and leave there only the line that send the logs remotely.
Upvotes: 0
Related Questions
- Separate local logger with root log python
- How to redirect rsyslog messages to some other path instead of /var/log
- rsyslog import non standard logs
- Dynamic Rsyslog template
- rsyslog not filtering messages into separate log file
- how to send log to a remote log server through rsyslog?
- How to configure rsyslog to use the centralized log with Python
- Centos6.3 Rsyslog writes to both custom log and /var/log/messages
- Python logging with rsyslog
- syslog.conf configuration to log only into a custom log file,