Flo,
I followed the same syntax as you mentioned .. however it doesn't stop sending
those remote logs to the local logs as well ..
this is my /etc/rsyslog.conf file looks like
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$MainMsgQueueType Direct
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$umask 0000
$IncludeConfig /etc/rsyslog.d/*.conf
$FileCreateMode 0600
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;local4.!notice;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
and my remote log files under /etc/rsyslog.d. looks just as below (pasted only
few lines ,but I have exact few more similar entries.)
#This will allow this server to log the remotely forwarded logs
$FileCreateMode 0664
$fileOwner netman
$FileGroup cscworks
$dirOwner netman
if $fromhost-ip == '10.X.X.X’ then {action(type="omfile"
file="/opt/apps/syslog/fw1-admin.log")
stop
}
if $fromhost-ip == '10.X.X.X' then {action(type="omfile"
file="/opt/apps/syslog/fw1-comm-core.log")
stop
}
if $fromhost-ip == '10.X.X.X' then {action(type="omfile"
file="/opt/apps/syslog/fw1-comm-dist.log")
stop
}
and I have one more .conf file under /etc/rsyslog.d which is just like the
below
# local4.notice
/var/log/usercommandslocal4.notice;auth.*;authpriv.* @remotesyslogserver
aslo
listen.conf$SystemLogSocketName /run/systemd/journal/syslog
The file are being written on both /var/log/messages and /var/log/usercommands
as well in addition to the files under /opt/apps/syslog.
Really appreciate any suggestion/fix to this .
ThanksHaary.
On Friday, May 4, 2018, 4:02:28 AM EDT, Flo Rance <[email protected]>
wrote:
If you want to use multiple instructions, you may want to use this syntax:
if $fromhost-ip == '10.XX.X' then { action(type="omfile"
file="/opt/apps/syslog/fw1-admin.log")
stop
}
There's an example there in the doc:
https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html
Maybe that one might work as well, but I haven't tested yet.
if $fromhost-ip == '10.XX.X' then { /opt/apps/syslog/fw1-admin.log
stop
}
Flo
On Thu, May 3, 2018 at 6:48 PM, Haary rock <[email protected]> wrote:
Flo,
I tried that then I started getting this error while I restart the service
May 03 12:40:11 Hostname rsyslogd[30213]: invalid character in selector line -
';template' expected [v8.24.0]
May 03 12:40:11 Hostname rsyslogd[30213]: error during parsing file
/etc/rsyslog.d/remotelog.conf, on or before line 54: errors occured in file
'/etc/rsyslog.d/remotelog. conf' around line 54 [v8.24.0 try
http://www.rsyslog.com/e/2207 ]
May 03 12:40:11 Hostname rsyslogd[30213]: invalid character in selector line -
';template' expected [v8.24.0]
May 03 12:40:11 Hostname rsyslogd[30213]: error during parsing file
/etc/rsyslog.d/remotelog.conf, on or before line 55: errors occured in file
'/etc/rsyslog.d/remotelog. conf' around line 55 [v8.24.0 try
http://www.rsyslog.com/e/2207 ]
This is what I added in the .conf file
if $fromhost-ip == '10.XX.X' then /opt/apps/syslog/fw1-admin. log. stop if
$fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw1-comm- core.log stopif
$fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw1-comm- dist.log stopif
$fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw2-admin.log stopif
$fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw2-comm- core.log stop
but as soon as I remove the stop its started the service without the error ...
may be I am syntax is not correct ..?
Thanks in advance for any help ,really appreciated
RegardsHaary
On Thursday, May 3, 2018, 12:25:29 PM EDT, Haary rock via rsyslog
<[email protected]> wrote:
Thanks I will try that for each entries ...
RegardsHarry..
On Thursday, May 3, 2018, 10:36:07 AM EDT, Flo Rance <[email protected]>
wrote:
You should give a condition, otherwise it will stop processing for all
messages.
E.g. if $fromhost-ip contains '10..x.x.x' then stop
On Thu, May 3, 2018 at 3:55 PM, Haary rock via rsyslog
<[email protected]> wrote:
Sorry I am reposting since it got mangled the texts ..
the problem is if I use the &~ at the end of the line .. its doesn't stop
sending the logs to /var/log/messages ..
but if I use the "stop" at the end of the file .. its stops sending messages to
/var/log/messages completely .
&~ used to work on previous version of syslog ..but its not working on the
rsyslogd 8.24.0 (RHEL 7.0)
I have my .conf file here
#This will allow this server to log the remotely forwarded logs
$FileCreateMode 0664
$fileOwner xxxx
$FileGroup xxx
$dirOwner xxxx
#
$template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"
if $fromhost-ip startswith '192.168.' then -?FilenameTemplateOne
#
$template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"
if $fromhost-ip startswith '209.95.224.' then -?FilenameTemplateOne
#
if $fromhost-ip == '10.x.x.x’ then /opt/apps/syslog/Fw1.log
if $fromhost-ip == '10..x.x.x’ then /opt/apps/syslog/fw2.log
if $fromhost-ip == '10..x.x.x’ then /opt/apps/syslog/mainsw1.log
if $fromhost-ip == '10..x.x.x’' then /opt/apps/syslog/secswitch.log
stop
&~ used to work on previous version of syslog ..but its not working on the
rsyslogd 8.24.0 (RHEL 7.0)
it gives the warning when I restart the syslog
rsyslogd[25517]: warning: ~ action is deprecated, consider using the 'stop'
statement instead
Any help would be greatly appreciated
ThanksHaary. On Wednesday, May 2, 2018, 5:24:14 PM EDT, David Lang
<[email protected]> wrote:
On Wed, 2 May 2018, Haary rock via rsyslog wrote:
> #This will allow this server to log the remotely forwarded
> logs$FileCreateMode 0664$fileOwner netman$FileGroup cscworks$dirOwner
> netman#$template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"if
> $fromhost-ip startswith '192.x.' then -?FilenameTemplateOne#$ template
> FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"if $fromhost-ip
> startswith 'x.x.x..' then -?FilenameTemplateOne#if $fromhost-ip == '10.x.x.1'
> then /opt/apps/syslog/Firewall1- admin.logif $fromhost-ip == '10.x.x.x' then
> /opt/apps/syslog/firewall- core.logif $fromhost-ip == '10.x.x.x' then
> /opt/apps/syslog/switch1.logif $fromhost-ip == '10.x.x.x' then
> /opt/apps/syslog/switch2- admin.log
> there are few more similar entries from all the Ip's I wanted to create the
> logs ..
> the problem is if I use the &~ at the end of the line .. its doesn't stop
> sending the logs to /var/log/messages ..
> but if I use the "stop" at the end of the file .. its stops sending messages
> to /var/log/messages completely .
> &~ used to work on previous version of syslog ..but its not working on the
> rsyslogd 8.24.0 (RHEL 7.0)
please retry your post, as you can see, it mangled the files you were posting
______________________________ _________________
rsyslog mailing list
http://lists.adiscon.net/ mailman/listinfo/rsyslog
http://www.rsyslog.com/ professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
______________________________ _________________
rsyslog mailing list
http://lists.adiscon.net/ mailman/listinfo/rsyslog
http://www.rsyslog.com/ professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
