rSyslog – How to Categorize Logs by Port with rSyslog

rsyslog

I've always used Syslog-NG for my logging situations, but my hands are tied and I have to use rsyslog, something I'm not overly familiar with.

I largely understand how to configure it, however, one of the ways I want to do it is to categorise by device type, ie, Linux device logs go into a linux folder, same for windows etc etc.

With Syslog-NG, I was able to do this by having a different port for each device type, and then having Syslog-ng place it in the correct folder by the port.

I can't find a way of doing this is in rsyslog. I've tried templates, but all that's doing is putting everything in the linux folder and everything in the windows folder, essentially duplicating. I've tried with filters, but getting nowhere with that either.

Firstly, does anyone know if its possible to categorise logs this way? And if so, could you point me in the right direction?

Best Answer

If you want to input from a given tcp port to go to one logfile, and from a second tcp port to go to another, check out Multiple Rulesets. The example Split local and remote logging for three different ports cut down to 2 tcp ports 10514 and 10515 gives you:

ruleset(name="remote10514"){
    action(type="omfile" file="/var/log/fileA")
}
ruleset(name="remote10515"){
    action(type="omfile" file="/var/log/fileB")
}
input(type="imptcp" port="10514" ruleset="remote10514")
input(type="imptcp" port="10515" ruleset="remote10515")

Inside each ruleset(){...} you can have any usual further filtering and templating.

Related Solutions

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

OK, solved it. I changed the config entry in my custom 22-remote.conf file in /etc/rsyslog.d/ from this:

:msg, contains, "AMAZONA-COMPUTERNAME1" /var/log/dbm/server-1.log
& ~
:msg, contains, "AMAZONA-COMPUTERNAME2" /var/log/dbm/server2.log
& ~

To this:

if $fromhost-ip == '10.11.12.12' then /var/log/dbm/server-1.log
& ~
if $fromhost-ip == '10.11.13.13' then /var/log/dbm/server2.log
& ~

Forwarding rsyslog to syslog-ng, with FQDN and facility separation

Okay, I found a way. It turns out the $ActionForwardDefaultTemplate by default is set to :

$ActionForwardDefaultTemplate RSYSLOG_ForwardFormat

Per this rsyslog documentation, the RSYSLOG_ForwardFormat is specifically used to maintain interoperability between different syslogs. No shocker then that if you modify this Forward template as I described originally, some functionality for other syslogs break:

$template MyTemplate, "%timestamp% <FQDN> %syslogtag%%msg%"
$ActionForwardDefaultTemplate MyTemplate

The workaround I found was to dig up the back-end template that RSYSLOG_ForwardFormat uses and mimic it. After digging through the source I eventually found that RSYSLOG_ForwardFormat is actually this:

"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"

So, if I create a custom template with almost the same content, but substitute my FQDN in place of the %HOSTNAME% macro, syslog-ng facility separation works properly and the system logs with FQDN:

$template MyForwardTemplate, "<%PRI%>%TIMESTAMP% <fqdn> %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
$ActionForwardDefaultTemplate MyForwardTemplate

Best Answer

Related Solutions

Remote rsyslog only writing logging data to /var/log/syslog and not custom logfiles

Forwarding rsyslog to syslog-ng, with FQDN and facility separation

Related Topic