I suggest to have a look at this: http://www.rsyslog.com/howto-store-remote-messages-in-a-separate-file/
HTH Riner On Fri, Sep 5, 2014 at 7:29 AM, Edward Bailey <[email protected]> wrote: > Greetings, > > I have setup a central logging server using rsyslog-7.6. I have defined the > usual location for local logs and a central location for remote logs. The > problem is that remote events are being logged to the local logging > location i.e. /var/log/messages. > > The setup seems straightforward, but I cannot figure out what I did wrong. > Any suggestions are welcome. Thanks in advance. > > config > > #### MODULES #### > $ModLoad imuxsock # local system logging (e.g. via logger command) > $ModLoad imklog # kernel logging (previously done by rklogd) > $ModLoad imudp # UDP syslog reception > $ModLoad omudpspoof # for keeping headers intact for > $ModLoad imtcp # TCP syslog reception > #--- End modules > > #### GLOBAL DIRECTIVES #### > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # and reduce any duplicates > $RepeatedMsgReduction on > > # where to place spool files > $WorkDirectory /var/lib/rsyslog > > #--- End global directives > > #### RULES #### > > #--- local ruleset > $RuleSet local > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. Do not sync file after > # every logging attempt. > > mail.* -/var/log/maillog > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > *.info;mail.none;authpriv.none;cron.none;auth.none /var/log/messages > > #--- End local ruleset > > # Set default rule set: > $DefaultRuleset local > > #--- remote ruleset > $RuleSet remote > > action(type="omudpspoof" target="x.x.x.x" port="514") > > *.info;mail.none; -/opt/alllogs/all_logs > > #--- End remote ruleset > > #--- End rules > > #### LISTENERS #### > > # Provides UDP port 514 syslog reception. > $InputUDPServerBindRuleset remote > $UDPServerRun 514 > > # Provides TCP port 514 syslog reception. > $InputTCPServerBindRuleset remote > $InputTCPServerRun 514 > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
