CentOS 8 Logging – Remote Logging Logs on Both Custom Log and /var/log/messages

centos8loggingremotersyslog

I'm trying to configure a remote log host for my servers (all CentOS 8). I added this on my central server

if $fromhost-ip == '123.123.123.123' then /var/log/{{hostname}}.log

Also I changed my client config to

*.* @@321.321.321.321:514/var/log/{{hostname}}.log

But when I try to run:

sudo logger "test"

It both logs on /var/log/hostname.log and /var/log/messages on my central remote server

It also floods the custom log file with

pam_unix(sudo:session): session opened for user root by admin(uid=0)
log message here
pam_unix(sudo:session): session closed for user root

How do I set my logs only to send to my custom log file? And how do I filter these pam messages to be not included?

Thank you

Best Answer

Logging to multiple locations is perfectly allowed, so if you did not change the default configuration which logs most things to /var/log/messages, then they will continue to be logged there.

The config file /etc/rsyslog.conf contains, among other things:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

You might add a property-based filter to discard messages after you have logged them once, based on various properties of the message. For example: After logging it once, the property-based filter will discard the message, preventing later configurations from logging it (the tilde means to discard the message and not process it further):

:fromhost-ip, isequal, '123.123.123.123' /var/log/{{hostname}}.log
:fromhost-ip, isequal, '123.123.123.123' ~

You're getting pam messages, because you used sudo, not because you ran logger. You will get those every time you run sudo. If you do not want to see them in the log, do not run sudo. It isn't necessary to use sudo to run logger anyway.

Related Topic