Debian – rsyslog: log message from remote host to specific file

debianrsyslog

I am trying to log messages from a specific remote host to a separate log file (and only to that file). I tried this:

# cat /etc/rsyslog.d/avs110door.conf 

if $fromhost == 'avs110' then /var/log/avs110-door.log
& stop

The log file is not created, and the messages form that host are still sent to user.log, syslog, messages and auth.log (depending on the facility).

I did run systemctl restart rsyslog.service and other .conf files from that directory do work as expected.

This is a Debian Jessie server with rsyslog version 8.4.2-1+deb8u2.

The messages in the wrong files are like this (so the remote hostname is indeed 'avs110' as in my .conf file condition):

Jul 18 18:27:19 avs110 sshd[781]: Server listening on :: port 22.
Jul 18 18:27:39 avs110 engine[844]: Finished initialization
Jul 18 18:44:20 avs110 engine[844]: Calling sip:600@192.168.44.152:5060

Best Answer

It turned out that the $fromhost variable is not the host name as it appears in the message, but the fully qualified domain name. The message's hostname is in another variable: $hostname.

So what I had tried didn't work, but any of the following do work to send logs from a specific host to a specific log file:

  • $hostname : as it appears in the message
  • $fromhost : FQDN from reverse lookup
  • $fromhost-ip : well, that one is obvious: the IP

Or:

if $hostname    == 'avs110'             then /var/log/avs110.log
& stop

if $fromhost    == 'avs110.example.com' then /var/log/avs110.log
& stop

if $fromhost-ip == '192.168.44.159'     then /var/log/avs110.log
& stop
Related Topic