Prevent rsyslog from logging remote hosts messages to local /var/log/syslog











up vote
6
down vote

favorite












I use rsyslog to save logs from remote hosts to a server this way:



Server:



# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile


Clients:



*.* @servername


This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?










share|improve this question














bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.











  • 1




    You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for /var/log/syslog
    – Bratchley
    Feb 6 '15 at 14:41















up vote
6
down vote

favorite












I use rsyslog to save logs from remote hosts to a server this way:



Server:



# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile


Clients:



*.* @servername


This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?










share|improve this question














bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.











  • 1




    You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for /var/log/syslog
    – Bratchley
    Feb 6 '15 at 14:41













up vote
6
down vote

favorite









up vote
6
down vote

favorite











I use rsyslog to save logs from remote hosts to a server this way:



Server:



# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile


Clients:



*.* @servername


This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?










share|improve this question













I use rsyslog to save logs from remote hosts to a server this way:



Server:



# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile


Clients:



*.* @servername


This creates log files for every client host in servers /var/log/rsyslog/ but it logs every message also to the servers /var/log/syslog. So it gets really bloated. How can I prevent it so that /var/log/syslog only contains messages from the server itself?







rsyslog






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 6 '15 at 14:34









Michael

2731413




2731413





bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.










  • 1




    You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for /var/log/syslog
    – Bratchley
    Feb 6 '15 at 14:41














  • 1




    You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for /var/log/syslog
    – Bratchley
    Feb 6 '15 at 14:41








1




1




You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for /var/log/syslog
– Bratchley
Feb 6 '15 at 14:41




You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for /var/log/syslog
– Bratchley
Feb 6 '15 at 14:41










2 Answers
2






active

oldest

votes

















up vote
0
down vote













I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.



$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop


The above 4 lines are in the top most section of my /etc/rsyslog.conf file



I'm currently watching 2 log files:


/var/log/net-hosts/10.1.1.1


and
/var/log/syslog



as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.






share|improve this answer





















  • Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
    – Michael
    Mar 29 '16 at 8:41


















up vote
0
down vote













Here is what works for me:



## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~





share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f183326%2fprevent-rsyslog-from-logging-remote-hosts-messages-to-local-var-log-syslog%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.



    $template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
    $template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
    :inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
    :fromhost-ip , !isequal , "127.0.0.1" stop


    The above 4 lines are in the top most section of my /etc/rsyslog.conf file



    I'm currently watching 2 log files:


    /var/log/net-hosts/10.1.1.1


    and
    /var/log/syslog



    as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.






    share|improve this answer





















    • Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
      – Michael
      Mar 29 '16 at 8:41















    up vote
    0
    down vote













    I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.



    $template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
    $template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
    :inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
    :fromhost-ip , !isequal , "127.0.0.1" stop


    The above 4 lines are in the top most section of my /etc/rsyslog.conf file



    I'm currently watching 2 log files:


    /var/log/net-hosts/10.1.1.1


    and
    /var/log/syslog



    as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.






    share|improve this answer





















    • Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
      – Michael
      Mar 29 '16 at 8:41













    up vote
    0
    down vote










    up vote
    0
    down vote









    I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.



    $template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
    $template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
    :inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
    :fromhost-ip , !isequal , "127.0.0.1" stop


    The above 4 lines are in the top most section of my /etc/rsyslog.conf file



    I'm currently watching 2 log files:


    /var/log/net-hosts/10.1.1.1


    and
    /var/log/syslog



    as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.






    share|improve this answer












    I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.



    $template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
    $template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
    :inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
    :fromhost-ip , !isequal , "127.0.0.1" stop


    The above 4 lines are in the top most section of my /etc/rsyslog.conf file



    I'm currently watching 2 log files:


    /var/log/net-hosts/10.1.1.1


    and
    /var/log/syslog



    as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Mar 23 '16 at 22:43









    spezticle

    125127




    125127












    • Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
      – Michael
      Mar 29 '16 at 8:41


















    • Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
      – Michael
      Mar 29 '16 at 8:41
















    Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
    – Michael
    Mar 29 '16 at 8:41




    Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
    – Michael
    Mar 29 '16 at 8:41












    up vote
    0
    down vote













    Here is what works for me:



    ## For accepting syslog info from remote hosts
    $template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
    $template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

    if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
    & ~
    if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
    & ~





    share|improve this answer



























      up vote
      0
      down vote













      Here is what works for me:



      ## For accepting syslog info from remote hosts
      $template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
      $template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

      if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
      & ~
      if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
      & ~





      share|improve this answer

























        up vote
        0
        down vote










        up vote
        0
        down vote









        Here is what works for me:



        ## For accepting syslog info from remote hosts
        $template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
        $template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

        if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
        & ~
        if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
        & ~





        share|improve this answer














        Here is what works for me:



        ## For accepting syslog info from remote hosts
        $template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
        $template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

        if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
        & ~
        if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
        & ~






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jul 13 '17 at 17:31









        Anthony Geoghegan

        7,54033954




        7,54033954










        answered Jul 13 '17 at 17:05









        Guest

        1




        1






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f183326%2fprevent-rsyslog-from-logging-remote-hosts-messages-to-local-var-log-syslog%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Accessing regular linux commands in Huawei's Dopra Linux

            Can't connect RFCOMM socket: Host is down

            Kernel panic - not syncing: Fatal Exception in Interrupt