Greetings, I have setup a central logging server using rsyslog-7.6. I have defined the usual location for local logs and a central location for remote logs. The problem is that remote events are being logged to the local logging location i.e. /var/log/messages.
The setup seems straightforward, but I cannot figure out what I did wrong. Any suggestions are welcome. Thanks in advance. config #### MODULES #### $ModLoad imuxsock # local system logging (e.g. via logger command) $ModLoad imklog # kernel logging (previously done by rklogd) $ModLoad imudp # UDP syslog reception $ModLoad omudpspoof # for keeping headers intact for $ModLoad imtcp # TCP syslog reception #--- End modules #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # and reduce any duplicates $RepeatedMsgReduction on # where to place spool files $WorkDirectory /var/lib/rsyslog #--- End global directives #### RULES #### #--- local ruleset $RuleSet local # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. Do not sync file after # every logging attempt. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save boot messages also to boot.log local7.* /var/log/boot.log # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none;auth.none /var/log/messages #--- End local ruleset # Set default rule set: $DefaultRuleset local #--- remote ruleset $RuleSet remote action(type="omudpspoof" target="x.x.x.x" port="514") *.info;mail.none; -/opt/alllogs/all_logs #--- End remote ruleset #--- End rules #### LISTENERS #### # Provides UDP port 514 syslog reception. $InputUDPServerBindRuleset remote $UDPServerRun 514 # Provides TCP port 514 syslog reception. $InputTCPServerBindRuleset remote $InputTCPServerRun 514 _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
