Rsyslog filter by client

rsyslogsyslog

I set up an Rsyslog server that can receive messages from clients. The problem is that everything is concatenated to /var/log/syslog, so I'm trying to set up a filter server side.

I added this line at the end of /etc/rsyslog.conf:

if $fromhost-ip == '123.123.123.123' then /var/log/clientA.log

But it doesn't work at all (even if I replace == by != which is really weird). Of course I didn't forget to restart the service.

Any idea welcome.

Best Answer

Our config has some extra error checking in it preventing random hosts from generating logs.

# Templates                    
$template RemoteHost,"/data/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%-%$DAY%.log"
$template Garbage,"/data/log/remote/GARBAGE/%HOSTNAME%/%$YEAR%/%$MONTH%-%$DAY%.log"

# Discard SNMPD Connection Messages
if $programname == 'snmpd' and ( $msg contains 'Connection from UDP' or $msg contains 'Received SNMP packet(s) from UDP' ) then ~

# Archival Storage
#    All Messages, locally and remote stored to these rules
if $hostname contains '.mydomain.com' or $hostname contains '.myotherdomain.com' or $hostname contains '.local' then { 
  *.* ?RemoteHost 
} else { 
  *.* ?Garbage
}

# If not sourced locally, stop processing message.
:source , !isequal , "syslog1" ~

Related Solutions

Ubuntu – rsyslog dynamic file filter

To remediate this issue, I commented out $IncludeConfig /etc/rsyslog.d/*.conf and added in 2 IP-based filter conditions.

if $fromhost-ip == '127.0.0.1' then /var/log/syslog 
if $fromhost-ip != '127.0.0.1' then ?JUNIPER

Essentially, this sends everything coming from localhost to /var/log/syslog. Remote host logs are then sent to their respective dynamic directories.

Converting to rsyslog v7 new config format

Well after a bunch of head-banging I figured this out on my own. First off, there's a bug in some versions of rsyslog that will prevent this from working (you'll never see a connection established to one or more of the target servers) so make sure you're using version 7.6 or later of rsyslog.

Make sure your CA file has any CA's needed for all targets listed in it. Order isn't important. Then your conf file should look something like this:

$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.pem

*.* action(type="omfwd" protocol="tcp" Target="10.50.59.241" Port="6514" StreamDriverMode="1" StreamDriver="gtls" StreamDriverAuthMode="anon")

*.* action(type="omfwd" Protocol="tcp" Target="some.other.host.com" Port="6514" StreamDriverMode="1" StreamDriver="gtls" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.some.other.host.com")

Best Answer

Related Solutions

Ubuntu – rsyslog dynamic file filter

Converting to rsyslog v7 new config format

Related Topic