Rsyslog Configuration – How to Stop Ignored Templates

I try to configure get my template for remote logging working but the stop statement is ignored and everiting is logged duplicate in the syslog and in my generated file %programname%.log. I want the incoming messages only logged in %programname%.log

ZABBIXis my local machine where the rsyslog deamon runs. And the remote devices are Sierra wireless devices that are logging to ZABBIX. But everything from the Sierras is logged duplicate. This is my configuration in /etc/rsyslog.conf.

$template remote-logs,"/media/jarne/Data/log/%FROMHOST%/%programname%.log", stop
:fromhost,isequal,"ZABBIX" stop
*.* ?remote-logs

I have also tried:
*.* ?remote-logs & stop and *.* ?remote-logs;stop, but I only get errors.

Can anyone tell me how the stop keyword works and where that is valid?

I use rsyslog version 8.32.0 on a Ubuntu 18.04.3. Thanks in advance!

Best Answer

If your hostname is lowercase zabbix then

:fromhost,isequal,"zabbix" stop
*.* ?remote-logs

should ensure that your remote-logs file does not hold local messages, provided that these lines are at the end of the rsyslog config. However, it would then be too late to stop remote messages going to your local syslog.

It is simpler if you use a newer syntax called RainerScript where you can write things like

if ($fromhost == "zabbix") then {
  *.* /var/log/syslog
} else {
  *.* ?remote-logs
}

Best Answer

Related Solutions

What’s causing rsyslog to log $msg**INVALID PROPERTY NAME** instead of the message contents from sonicwall devices

Ubuntu – rsyslog dynamic file filter

Related Topic

What’s causing rsyslog to log $msgINVALID PROPERTY NAME instead of the message contents from sonicwall devices