On Tue, 18 Feb 2014, Chris Mann wrote:
Hello all,
I’m trying to send a custom log file that our program generates to the remote
rsyslog server, with little to no luck. Ideally, I’d like to have that log
sent to it’s own file and not mixed in with the syslog traffic.
We’re using Ubuntu 12.04LTS
So, if you are using the default version of rsyslog, this is old enough that
it's unsupported by the community (but your issue is probably not version
dependant), what version is running?
Server rsyslog server config:
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 10514
why use an odd port like this instead of using the standard 514 port?
$template DynaFile,"/var/log/remote/%HOSTNAME%.log"
*.* -?DynaFile
ok, this logs everything into per hostname files, with no filtering ahead of it.
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup adm
#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
# This one is the template to generate the log filename dynamically, depending
on the client's IP address.
$template
%RemoteHost,,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
this template is by hostname, not client IP, you would use %fromhost-ip% instead
of %hostname% if you want it by IP
but it really doesn't matter since you don't have anything that uses this
template. I also think that you can't use % in a tempate name, and should only
have one ,
as a result, I'm pretty sure that you get errors about being unable to parse the
config file when you startup.
Client rsyslog config:
# $ModLoad imfile
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
# $ModLoad immark # provides --MARK-- message capability
# Watch /var/log/ejabberd/ejabberd.log
module(load="imfile" PollingInterval="10")
input(type="imfile"
File="/var/log/ejabberd/ejabberd.log"
Tag="ejabberd:"
StateFile="state-ejabberd"
Severity="info"
Facility="local6"
)
# Provides UDP forwarding. The IP is the server's IP address
# *.* @54.227.155.34:514
# Provides TCP forwarding. But the current server runs on UDP
*.* @@devil.walkingservers.net:10514
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup adm
#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog
#
$IncludeConfig /etc/rsyslog.d/*.conf
Can someone kick me in the direction of where I’m screwing up?
In general, you should put global directives before any output. I don't know if
that matters or not
I don't know of there is anything being added by the include lines.
so, this sends logs from the client to the server, using the default format
(because you haven't specified anything), and the server then writes them to
/var/log/<hostname>.log files
now, you do set the logs you read from the file to the facility local6, so you
could filter on that on the server if you want them written separately
but, what is it that you think should be happening with this config? and what is
actually happening?
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
