Rsyslog relp – preventing remote logs from being written to the local /var/log

I've set up a logging server using rsyslog with relp. It works just fine as far as receiving remote logs and placing them in /var/spool/rsyslog.

My problem is: most of these messages are appearing in my /var/log/messages file as well, which can get fairly huge, fairly fast.

My config on the logging server:

    #### MODULES ####

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

# RELP config
$ModLoad imrelp
$InputRELPServerRun 2514

#### GLOBAL DIRECTIVES ####

# Filter duplicated messages
$RepeatedMsgReduction on

# Set the default permissions for all log files.
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

# Where to place spool files
$WorkDirectory /var/spool/rsyslog

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# global templates
# DONT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING
$ActionFileDefaultTemplate RSYSLOG_ForwardFormat
$template precise,"%syslogpriority% %syslogfacility% %timegenerated% %HOSTNAME% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate precise

# This should place all remote log items into /var/spool/rsyslog
$template RemoteHost,"/var/spool/rsyslog/%programname%.log"

# My brain says: this prevents anything coming in from a remote host from
# being written in /var/log/whatever - MY BRAIN LIES TO ME!
if ($hostname != 'my.server.name') then ?RemoteHost
&~

My reading of the man page says that the hostname check and the "ampersand tilde" should prevent remote stuff from tainting my logfiles.

Clues?

DISTRIB_DESCRIPTION="Ubuntu 12.04.3 LTS"

Best Answer

you must have something like that at your rsyslog config file

*.*;auth,authpriv.none          -/var/log/syslog

If you take a look, you are registering ALL severities from ALL facilities, to the syslog file, except auth and authpriv facilities.

Simply add the facility wich you don't want to log, plus the "none" severity. I.E: local6:

*.*;auth,authpriv.none;local6.none          -/var/log/syslog

Of course, you must restart or reload rsyslog daemon after modify config files.

Hope this helps, if far simply from using complex rsyslog filters.

Best Answer

Related Solutions

Ubuntu – How to get rsyslogd to log a server’s FQDN instead of it’s short hostname

Simple and reliable centralized logging inside Amazon VPC

Related Topic