Hi @ll, i used Syslog-ng on Debian as central loghost since ~10 years.
Now i'm trying to install a new central loghost with rsyslog on Debian 9 (Stretch), because rsyslog is the default syslog daemon in Debian and i wanted to keep things simple. My Goal is to log incoming logs to /var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log an do some logrotate. Remote logs should not be logged in the normal /var/log/xyz.log files. It would be nice if i could accomplish this, by not touching the original /etc/rsyslog.conf and using an individual config file in /etc/rsyslog.d/ (loghost.conf). I searched a lot on the net and there are several Howtos online, but most of them are 90% identical. So i used this one: https://www.howtoforge.com/tutorial/rsyslog-centralized-log-server-in-debian-9/ I adapted the settings to my needs. This is my loghost.conf: # # Config for centralized loghost on this machine # # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") # Restrict who can send us logs $AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, *.yourdomain.com $AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, *.yourdomain.com # Template to sort incoming logs to the right place $template RemoteLogs,"/var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?RemoteLogs & ~ <---cut---> OK, logs are being redirected to the /var/log/HOSTS/... folders. But there are some Problems. First problem is: All logs are redirected, not only the remote ones. Maybe that happens because of the second Problem: There are warnings/errors in liblogging-stdlog.log: Mar 5 12:37:01 my-srv liblogging-stdlog: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.24.0 try http:/ /www.rsyslog.com/e/2307 ] Mar 5 12:37:01 my-srv liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! [v8.24.0 try http:/ /www.rsyslog.com/e/2207 ] I played a little bit with the options and tried some other templates but couldn't get around this problem. Also the rsyslog FAQ and config examples didn't help me out. Maybe i dont see the forest because of the trees... I would be very thankfull if one could give me some hints. Thanks and sorry for my bad english. I hope you get what i mean. Greetings, Marcel _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
