Linux – rsyslog: How to direct messages from all remote machines to one file

linuxloggingrsyslogsyslog

We have a syslog server and we have all our servers logging to it.

We want a sort of "catch-all" drippan rule for all remote messages that we have not configured a rule for.

Anyone know how to accomplish this?

Best Answer

So this is how I configured this in rsyslog.conf:

# Log remote hosts to separate log file
$template PerHostLog,"/var/log/remote-hosts/%HOSTNAME%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %HOSTNAME% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%\n"
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
& ~

This traps all log messages received via UDP (imudp) and puts it in a file whose filename corresponds to the hostname the log message originated from.

Related Solutions

Linux Bash – How to Sort du -h Output by Size

As of GNU coreutils 7.5 released in August 2009, sort allows a -h parameter, which allows numeric suffixes of the kind produced by du -h:

du -hs * | sort -h

If you are using a sort that does not support -h, you can install GNU Coreutils. E.g. on an older Mac OS X:

brew install coreutils
du -hs * | gsort -h

From sort manual:

-h, --human-numeric-sort compare human readable numbers (e.g., 2K 1G)

How to setup rsyslog to send all logs to multiple remote servers

From Forwarding to More than One Server;

What is important to know, however, is that the full set of directives make up an action. So you can not simply add (just) a second forwarding rule, but need to duplicate the rule configuration as well. Be careful that you use different queue file names for the second action, else you will mess up your system.

So, actually, you have to use 2 different local queues.

Configure a working directory.

$WorkDirectory /var/spool/rsyslog

Configure your forwarding rules (obsolete legacy format).

$ActionQueueType LinkedList
$ActionQueueFileName Forward1
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
*.* @@server1

$ActionQueueType LinkedList
$ActionQueueFileName Forward2
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
*.* @@server2

Configure your forwarding rules (new advanced format).

action(type="omfwd" target="server1" resumeRetryCount="-1" 
    queue.type="LinkedList" queue.filename="Forward1" queue.saveOnShutdown="on")

action(type="omfwd" target="server2" resumeRetryCount="-1" 
    queue.type="LinkedList" queue.filename="Forward2" queue.saveOnShutdown="on")

Best Answer

Related Solutions

Linux Bash – How to Sort du -h Output by Size

How to setup rsyslog to send all logs to multiple remote servers

Related Topic