Really perplexed at what happened. I've had rsyslogd running on a Centos 6.5 server for a while now logging for remote hosts to a special folder /data/rsyslog. Yesterday I setup our firewall to start logging and it was working fine except the logs were large for that firewall, so I decided to setup a logrotate job for it to rotate. This morning all the logs rotated, but it was no longer logging to any files in my rsyslog folder for any hosts. At first I thought something was wrong with creating a new file, but what I found is all the remote logs now going to the standard /var/log/message file. This is my rsyslog.conf file:
[root@backup1 etc]# cat rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
$template Secure_log,"/data/rsyslog/%fromhost%.secure"
$template Message_log,"/data/rsyslog/%fromhost%.message"
That is the way the file was, but I found that I don't have an action, so I added the following line to the end to test:
*.* ?Message_log
And now all goes into their hostname files as expected into that folder, but its also logging to /var/log folder as well. I guess the line above is doing that with /var/log/messages. I have upgraded to rsyslogd version 7 in the process of trying to get this working. Not sure what happened, but just trying to get it working from scratch now and can't seem to track down the proper configuration to log remote hosts to only that special folder. Can someone help?
Best Answer
If you want to make sure that your messages will be written in a specific file, you need to filter your message.
When you use
*.* ?Message_logat the end of file, the message will pass before in*.info;mail.none;authpriv.none;cron.none /var/log/messages, as you expected.Before
$IncludeConfig /etc/rsyslog.d/*.conf, you need to declare your template, and use an if expression to filter your message. Try doing the following:This will log the wanted messages in the file you specified, and discard them with the stop, so it won't be written elsewhere.
An alternative to it is creating a file in /etc/rsyslog.d/, like 00-example.conf, to make your configurations more organized. But make sure that the number of the file need to be lower than the default file(that is 50).