Re: syslog.conf syntax to specify several clients
Thank you. I was still guessing if my understanding was correct about !, !!, + and ++ being respectively same but for prog vs host. It is nice to have ti clarified. On Thursday, March 9, 2023 at 06:16:04 p.m. GMT+9, Paul de Weerd wrote: On Thu, Mar 09, 2023 at 04:00:24AM +, All wrote: | Right. | That is what I was suspecting. I did use wildcard, but some hosts | use completely different fqdns, so... | Anyway, thank you and blocks per host it is then. | | One question. | What is the difference between ++host and +host? Same effect as !prog vs !!prog, as mentioned in the documentation: "work the same way as their prog counterparts". Again, from the same syslog.conf(5) manpage: > !!prog causes the subsequent block to abort evaluation when a message > matches, ensuring that only a single set of actions is taken. !* can be > used to ensure that any ensuing blocks are further evaluated (i.e. > cancelling the effect of a !prog or !!prog). Please carefully read that page, it has all the information you need. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: syslog.conf syntax to specify several clients
On Thu, Mar 09, 2023 at 04:00:24AM +, All wrote: | Right. | That is what I was suspecting. I did use wildcard, but some hosts | use completely different fqdns, so... | Anyway, thank you and blocks per host it is then. | | One question. | What is the difference between ++host and +host? Same effect as !prog vs !!prog, as mentioned in the documentation: "work the same way as their prog counterparts". Again, from the same syslog.conf(5) manpage: > !!prog causes the subsequent block to abort evaluation when a message > matches, ensuring that only a single set of actions is taken. !* can be > used to ensure that any ensuing blocks are further evaluated (i.e. > cancelling the effect of a !prog or !!prog). Please carefully read that page, it has all the information you need. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: syslog.conf syntax to specify several clients
Right. That is what I was suspecting. I did use wildcard, but some hosts use completely different fqdns, so... Anyway, thank you and blocks per host it is then. One question. What is the difference between ++host and +host? On Thursday, March 9, 2023 at 01:47:44 a.m. GMT+9, Paul de Weerd wrote: On Wed, Mar 08, 2023 at 03:39:07PM +0100, Noth wrote: | On 07/03/2023 06:35, All wrote: | | > Hi all, | > | > I have a server that acts as a syslog aggregator | > for several other servers. I was trying to see whether | > clients can be specified on one line but I can't see anything | > regarding syntax for such cases in man pages. | > | > Do we need to specify each client on the separate line? | > Like: | > | Hi, yes you do. | > I tried several kinds of semicolon, comma and plus syntax | > but have not being able to make it work. | > I can only see the very first host (eg. server1) in the log, not others. | | From the man page for syslog.conf: | | # Log everything coming from host bastion to a separate file. | ++bastion | *.* /var/log/bastion | +* If you look closely at the manpage[1], it says: > Blocks starting with +host or ++host or +* work the same way as their > prog counterparts, but they match on the hostname instead of the program > name. And for the 'prog counterparts' there's this bit: > Each block of lines is separated from the previous block by a tag. The > tag is a line beginning with !prog and each block will be associated with > calls to syslog from that specific program (matched using glob(7) rules). Note the '(matched using glob(7) rules)' bit. I have this in my /etc/syslog.conf: --- syslog.conf snippet -- # - send logs from ubiquiti wifi access points to their own logfiles ++ubiquiti-*.alm.weirdnet.nl *.* /var/log/ubi +* -- Which sends the logs from ubiquiti-1, ubiquiti-2, ubiquiti-3 and so on and so forth to /var/log/ubi. So, no, you do NOT need to specify each client on a separate line, but you may have to do so if you can't glob(7) the systems together. Cheers, Paul 'WEiRD' de Weerd [1]: https://man.openbsd.org/syslog.conf.5 -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: syslog.conf syntax to specify several clients
On Wed, Mar 08, 2023 at 03:39:07PM +0100, Noth wrote: | On 07/03/2023 06:35, All wrote: | | > Hi all, | > | > I have a server that acts as a syslog aggregator | > for several other servers. I was trying to see whether | > clients can be specified on one line but I can't see anything | > regarding syntax for such cases in man pages. | > | > Do we need to specify each client on the separate line? | > Like: | > | Hi, yes you do. | > I tried several kinds of semicolon, comma and plus syntax | > but have not being able to make it work. | > I can only see the very first host (eg. server1) in the log, not others. | | From the man page for syslog.conf: | | # Log everything coming from host bastion to a separate file. | ++bastion | *.* /var/log/bastion | +* If you look closely at the manpage[1], it says: > Blocks starting with +host or ++host or +* work the same way as their > prog counterparts, but they match on the hostname instead of the program > name. And for the 'prog counterparts' there's this bit: > Each block of lines is separated from the previous block by a tag. The > tag is a line beginning with !prog and each block will be associated with > calls to syslog from that specific program (matched using glob(7) rules). Note the '(matched using glob(7) rules)' bit. I have this in my /etc/syslog.conf: --- syslog.conf snippet -- # - send logs from ubiquiti wifi access points to their own logfiles ++ubiquiti-*.alm.weirdnet.nl *.* /var/log/ubi +* -- Which sends the logs from ubiquiti-1, ubiquiti-2, ubiquiti-3 and so on and so forth to /var/log/ubi. So, no, you do NOT need to specify each client on a separate line, but you may have to do so if you can't glob(7) the systems together. Cheers, Paul 'WEiRD' de Weerd [1]: https://man.openbsd.org/syslog.conf.5 -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: syslog.conf syntax to specify several clients
On 07/03/2023 06:35, All wrote: Hi all, I have a server that acts as a syslog aggregator for several other servers. I was trying to see whether clients can be specified on one line but I can't see anything regarding syntax for such cases in man pages. Do we need to specify each client on the separate line? Like: Hi, yes you do. I tried several kinds of semicolon, comma and plus syntax but have not being able to make it work. I can only see the very first host (eg. server1) in the log, not others. From the man page for syslog.conf: # Log everything coming from host bastion to a separate file. ++bastion *.* /var/log/bastion +* Use this block once per server. You should be able to tweak it by daemon, auth, etc. Cheers, Noth
syslog.conf syntax to specify several clients
Hi all, I have a server that acts as a syslog aggregator for several other servers. I was trying to see whether clients can be specified on one line but I can't see anything regarding syntax for such cases in man pages. Do we need to specify each client on the separate line? Like: +server1 *.blah /some/dir +server2 *.blah /some/dir Or can we do something like this? +server1, +server2 *.blah /some/dir or +server1,server2 *.blah /some/dir I tried several kinds of semicolon, comma and plus syntax but have not being able to make it work. I can only see the very first host (eg. server1) in the log, not others.
