David,
Thank you for clarifying all of that.
Based on what we are trying to do, I think we'd want to go the route of using a
ruleset.
So, using something like:
input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp"
port="514" ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
actions
}
I'm translating that to:
$template
remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
$template
remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
$template
remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
$template
remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
$template
remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
$template
remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
$template
remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" port="514"
ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
user.*;daemon.*;syslog.* ?remote-messages
kern.* ?remote-kernel
*.emerg ?remote-emerg
authpriv.* ?remote-secure
mail.* -?remote-maillog
cron.* ?remote-cron
uucp,news.crit ?remote-spooler
local7.* ?remote-bootlog
}
That should result in me capturing all messages that come in over TCP or UDP,
and separate them out.
What tells rsyslog to log local (those not coming in via TCP or UDP) messages
to /var/log/...?
Thanks,
R. Singh
Sr. Systems Administrator
Middleware/PTC Support
904-633-5745
RC Offering: SC07507098
H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35
"Give instruction to a wise man, and he will be yet wiser : teach a just man,
and he will increase in learning." - Proverbs 9:9
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Wednesday, May 04, 2016 1:06 PM
To: [email protected]
Subject: Re: [rsyslog] Remote messages getting into local logs
I'll bet that if you do rsyslogd -N2 it will report a lot of errors in the
config
you are mising filter types (and in any case, working harder than you need to)
there are three classes of filters
traditional pri filters
user.* action
old rsyslog filters
:var, test, value action
rainerscript filters
if test then action
you are trying to use the old rsyslog filters in rainerscript syntax, that
doesn't work
if $hostname == $$myhostname then {
actions
} else {
actions
}
would be what you are trying to do.
But if you really want to separate the traffic that arrives from remote
systems completely from the traffic that is produced locally, the best way to
do that is with a ruleset
input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp"
port="514" ruleset="inbound")
ruleset(name="inbound" queue.type="FixedArray"){
actions
}
will effectivly split rsyslog into two complete stacks, one that processes
locally generated messages with all the rules not defined in the inbound
ruleset (and using the main queue), and a second that processes all messages
that arrive via tcp or udp using the rules in the inbound ruleset (and using a
separate queue)
David Lang
On Wed, 4 May 2016 16:38:34 +0000, Singh, Radesh wrote:
> Hello,
>
> Perhaps I'm overthinking this, but as I've confused myself pretty
> good, I'm reaching out to you guys.
>
> We noticed that our remote clients messages are flooding several of
> our local log files (messages,kernel,bootlog) on our central rsyslog
> server.
>
> We've been try to craft some rules to tell the rsyslog server that the
> hostname is not your hostname, use a specific block to separate the
> messages into their appropriate files, else, do the same type of
> separation, but store the messages locally...
>
> I tried...
>
> $template
>
> remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log"
> $template
>
> remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log"
> $template
>
> remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log"
> $template
>
> remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log"
> $template
>
> remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log"
> $template
>
> remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log"
> $template
>
> remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log"
>
> $template local-messages,"/var/log/messages"
> $template local-kernel,"/var/log/kernel"
> $template local-emerg,"/var/log/emerg"
> $template local-secure,"/var/log/secure"
> $template local-maillog,"/var/log/maillog"
> $template local-cron,"/var/log/cron"
> $template local-spooler,"/var/log/spooler"
> $template local-bootlog,"/var/log/bootlog"
>
> if :hostname,!isequal,$myhostname then {
> user.*;daemon.*;syslog.* ?remote-messages
> kern.* ?remote-kernel
> *.emerg ?remote-emerg
> authpriv.* ?remote-secure
> mail.* -?remote-maillog
> cron.* ?remote-cron
> uucp,news.crit ?remote-spooler
> local7.* ?remote-bootlog
> }
> else if :hostname,isequal,$myhostname then {
> user.*;daemon.*;syslog.* ?local-messages
> kern.* ?local-kernel
> *.emerg ?local-emerg
> authpriv.* ?local-secure
> mail.* -?local-maillog
> cron.* ?local-cron
> uucp,news.crit ?local-spooler
> local7.* ?local-bootlog
> }
>
> But messages from remote hosts get written to /var/log/messages, even
> though I thought I was telling rsyslog to filter on hostname, and if
> the hostname is not my hostname use one of my ?remote definitions.
> I tried using & ~ after my first line, but I find that if I do that
> ... nothing gets written to the local messages file.
> I'm doing this on RHEL 6.2, and rsyslog version is 5.8.10.
>
> Thank you,
>
> R. Singh
> Sr. Systems Administrator
> Middleware/PTC Support
> 904-633-5745
>
> RC Offering: SC07507098
>
> [chessie]
> |-| () \/\/ ~|~ () |\/| () /? /? () \/\/ |\/| () \/ [- _\~
>
>
>
>
> This email transmission and any accompanying attachments may contain
> CSX privileged and confidential information intended only for the use
> of the intended addressee. Any dissemination, distribution, copying or
> action taken in reliance on the contents of this email by anyone other
> than the intended recipient is strictly prohibited. If you have
> received this email in error please immediately delete it and notify
> sender at the above CSX email address. Sender and CSX accept no
> liability for any damage caused directly or indirectly by receipt of
> this email.
_______________________________________________
rsyslog mailing list
BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED
http://secure-web.cisco.com/1xGGnjSh9RR0y9rgx38zhuymGGNvuKuRCAR_z7i9J4Yn4zD1vrveKaihdGx3JedcKCvkNFBxiQQjmCOd0j1txaq0XXfVbdukHhfiSCcWgPOP25byT1N_28l_4ON11xwTa2os6nW2bRAbUYXssRPv3wvQnrvm8ZzCXtOHwGONSA3SCjiMSNi08MM6TaKzaOkD03_s7wi9z7XCSLiEBsRnnCqwRSU2U2EJwHK9Y45_VeoyaLJ8gYj2bCZYXes3riOxEZtfn4nwdnJ3x1ksA5LhDiPYPqvwksTkgOXeGl-RsALio_xvt06uQ1x-Qs1VKm6HuRR-wPUlI6tPrvOprmD2kB8IcTPvtPxBkfjtVU5BpEZVIgCJmZSTxU2CCM44nyhVa/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F
What's up with rsyslog? Follow
https://secure-web.cisco.com/1np2M_O7l4WbuSPzutBL7wHs1T4AvXY5sEAi6R9jFAd6xpP66MUvIDoL0kz8Ve9JiKraHbyNUChDGTNv4qEvQcUG__9hAYAhKR4E7GDpM7wUS99eOBMAmpT0YQBJJZ44RAmUnlV8l-ReDvo5lBRbln2K5LdY7r8SRhRWxukHXXBpb6QWRw33ltg4-0dFF4WarzNF0TNyG2pbowTpBDBRxUksgFg8Lsc_RMfr5SOW4BoGup_lZ-eLAZ53p3cH3LfhD_ziZoSyK89jd0Q7d_ny6io7hXw3xTTVKazGM8-ONaWmTt_sBkl5zVxGHpN50EViW9719-Se7Kxyx4OohnoDRd-aGEzfx6novzYQqXjR_L8OSY4mtnLsxciyfHoPOmjkMKz5PZF1Pv7jlvGXdl0E5Eg/https%3A%2F%2Ftwitter.com%2Frgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
This email transmission and any accompanying attachments may contain CSX
privileged and confidential information intended only for the use of the
intended addressee. Any dissemination, distribution, copying or action taken in
reliance on the contents of this email by anyone other than the intended
recipient is strictly prohibited. If you have received this email in error
please immediately delete it and notify sender at the above CSX email address.
Sender and CSX accept no liability for any damage caused directly or indirectly
by receipt of this email.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
