Prevent rsyslog from logging remote hosts messages to local /var/log/syslog
up vote
6
down vote
favorite
I use rsyslog to save logs from remote hosts to a server this way:
Server:
# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile
Clients:
*.* @servername
This creates log files for every client host in servers /var/log/rsyslog/
but it logs every message also to the servers /var/log/syslog
. So it gets really bloated. How can I prevent it so that /var/log/syslog
only contains messages from the server itself?
rsyslog
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
up vote
6
down vote
favorite
I use rsyslog to save logs from remote hosts to a server this way:
Server:
# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile
Clients:
*.* @servername
This creates log files for every client host in servers /var/log/rsyslog/
but it logs every message also to the servers /var/log/syslog
. So it gets really bloated. How can I prevent it so that /var/log/syslog
only contains messages from the server itself?
rsyslog
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41
add a comment |
up vote
6
down vote
favorite
up vote
6
down vote
favorite
I use rsyslog to save logs from remote hosts to a server this way:
Server:
# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile
Clients:
*.* @servername
This creates log files for every client host in servers /var/log/rsyslog/
but it logs every message also to the servers /var/log/syslog
. So it gets really bloated. How can I prevent it so that /var/log/syslog
only contains messages from the server itself?
rsyslog
I use rsyslog to save logs from remote hosts to a server this way:
Server:
# Logfile for each host
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%.log"
*.* -?DynaFile
Clients:
*.* @servername
This creates log files for every client host in servers /var/log/rsyslog/
but it logs every message also to the servers /var/log/syslog
. So it gets really bloated. How can I prevent it so that /var/log/syslog
only contains messages from the server itself?
rsyslog
rsyslog
asked Feb 6 '15 at 14:34
Michael
2731413
2731413
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ yesterday
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41
add a comment |
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41
1
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for
/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for
/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41
add a comment |
2 Answers
2
active
oldest
votes
up vote
0
down vote
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
up vote
0
down vote
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f183326%2fprevent-rsyslog-from-logging-remote-hosts-messages-to-local-var-log-syslog%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
up vote
0
down vote
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
up vote
0
down vote
up vote
0
down vote
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
I've been working on this a lot and i think i've found a solution. I encourage others to try this and look for potentially adverse consequences. I suggest that this be implemented on lab/testing and non critical machines first.
$template PerHostLog,"/var/log/net-hosts/%fromhost-ip%/%fromhost-ip%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost-ip% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%n”
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
:fromhost-ip , !isequal , "127.0.0.1" stop
The above 4 lines are in the top most section of my /etc/rsyslog.conf file
I'm currently watching 2 log files:
/var/log/net-hosts/10.1.1.1
and
/var/log/syslog
as I watch both, I'm seeing logs populate into the remote host file, yet not in the syslog. I restarted apache and saw log entries in syslog for this task.
answered Mar 23 '16 at 22:43
spezticle
125127
125127
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
Thanks for testing. But it doesn't work for me. It still logs everything to servers /var/log/syslog
– Michael
Mar 29 '16 at 8:41
add a comment |
up vote
0
down vote
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
add a comment |
up vote
0
down vote
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
add a comment |
up vote
0
down vote
up vote
0
down vote
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
Here is what works for me:
## For accepting syslog info from remote hosts
$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~
edited Jul 13 '17 at 17:31
Anthony Geoghegan
7,54033954
7,54033954
answered Jul 13 '17 at 17:05
Guest
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f183326%2fprevent-rsyslog-from-logging-remote-hosts-messages-to-local-var-log-syslog%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
You'll want to look into property based filters since HOSTNAME is one of the syslog fields. You'll basically want to change it so that it only selects its own logs for
/var/log/syslog
– Bratchley
Feb 6 '15 at 14:41