Hello,
Perhaps I'm overthinking this, but as I've confused myself pretty good, I'm
reaching out to you guys.
We noticed that our remote clients messages are flooding several of our local
log files (messages,kernel,bootlog) on our central rsyslog server.
We've been try to craft some rules to tell the rsyslog server that the hostname
is not your hostname, use a specific block to separate the messages into their
appropriate files, else, do the same type of separation, but store the messages
locally...
I tried...
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
$template local-messages,"/var/log/messages"
$template local-kernel,"/var/log/kernel"
$template local-emerg,"/var/log/emerg"
$template local-secure,"/var/log/secure"
$template local-maillog,"/var/log/maillog"
$template local-cron,"/var/log/cron"
$template local-spooler,"/var/log/spooler"
$template local-bootlog,"/var/log/bootlog"
if :hostname,!isequal,$myhostname then {
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
else if :hostname,isequal,$myhostname then {
user.*;daemon.*;syslog.* ?local-messages
kern.* ?local-kernel
*.emerg ?local-emerg
authpriv.* ?local-secure
mail.* -?local-maillog
cron.* ?local-cron
uucp,news.crit ?local-spooler
local7.* ?local-bootlog
}
But messages from remote hosts get written to /var/log/messages, even though I
thought I was telling rsyslog to filter on hostname, and if the hostname is not
my hostname use one of my ?remote definitions.
I tried using & ~ after my first line, but I find that if I do that ... nothing
gets written to the local messages file.
I'm doing this on RHEL 6.2, and rsyslog version is 5.8.10.
Thank you,
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
[chessie]
|-| () \/\/ ~|~ () |\/| () /? /? () \/\/ |\/| () \/ [- _\~
This email transmission and any accompanying attachments may contain CSX
privileged and confidential information intended only for the use of the
intended addressee. Any dissemination, distribution, copying or action taken in
reliance on the contents of this email by anyone other than the intended
recipient is strictly prohibited. If you have received this email in error
please immediately delete it and notify sender at the above CSX email address.
Sender and CSX accept no liability for any damage caused directly or indirectly
by receipt of this email.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
