Create separated syslog file for each host with rsyslog

configurationloggingrsyslogsyslog

I have a syslog server (running rsyslog on RHEL 7.4) that consolidates all the syslogs from my network devices. It's listening on port TCP/514.

I want to redirect the logs of each device to a different file in a dedicated directory (based on their IP address), instead of getting them all in /var/log/messages. How can I do that?

Best Answer

It seems it is documented on rsyslog web site here : https://www.rsyslog.com/storing-and-forwarding-remote-messages

To summarize :

You should define a template for log files, something like e.g :

# log every host in its own directory
$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

Then apply this template to messages coming from remote hosts :

# Remote Logging
$RuleSet remote
*.* ?RemoteHost

Related Solutions

Linux – Best Practices for rotating syslog logs on RHEL with different schedules

Set up a separate block for the messages log in /etc/logrotate.d/rsyslog (or whatever it's called on your install). It should use the setting for the specific log file match preferentially to a general one.

No, as Zoredache mentioned, multiple HUPs shouldn't break anything unless you're really hammering rsyslog anyway.

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

OK, solved it. I changed the config entry in my custom 22-remote.conf file in /etc/rsyslog.d/ from this:

:msg, contains, "AMAZONA-COMPUTERNAME1" /var/log/dbm/server-1.log
& ~
:msg, contains, "AMAZONA-COMPUTERNAME2" /var/log/dbm/server2.log
& ~

To this:

if $fromhost-ip == '10.11.12.12' then /var/log/dbm/server-1.log
& ~
if $fromhost-ip == '10.11.13.13' then /var/log/dbm/server2.log
& ~

Best Answer

Related Solutions

Linux – Best Practices for rotating syslog logs on RHEL with different schedules

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

Related Topic