[rsyslog] Separating logs by host?
rgerhards at hq.adiscon.com
Fri Dec 21 11:07:36 CET 2007
Mmhhh... once we have expression support, that will be an easy thing to
do. Currently, I think there are a number of clumpsy work-arounds. We
are around two month away from expressions, at least if all goes well.
I think you can achive something with BDS-style filter blocks
(!progname/-host/+host), something along these lines:
Of course, this is hostname specific (and that again is not the IP but
what is in the message...)
To get to the IP, I think you can get at least some way with class A,B,C
addresses, but NOT with any other masks. Here is the idea:
$template dsl, /var/log/dsl-%$NOW%.log
$template routers, /var/log/routers-%$NOW%.log
:FROMHOST, startswith, "192.168.1." -?dsl
:FROMHOST, startswith, "192.168.3." -?routers
:FROMHOST, startswith, "10.1.1." -?routers
Common pitfall: be sure to include the trailing dot in the condition to
match. If the rule were
:FROMHOST, startswith, "192.168.1" -?dsl
It would match 192.168.1.1.2, 192.168.1.1.2 but also 192.168.1.11.2!
With the current engine, there are unfortunately no logical operations
available. So you cannot check for mail facility or whatever else. A
somewhat crude work-around would be to include the facility in the file
name, e.g. by specifying it as follows:
$template dsl, /var/log/dsl-%syslogfacility-text%-%$NOW%.log
That, of course, will result in a file written for each facility, even
those that you are not interested in. A unfortunately do not have a
solution for this now.
With v3 expressions, I envision something along these lines:
If maskmatch(FROMHOST, "192.168.1.0", 24) and syslog-facility-text ==
But that is not possible yet. And this is only an idea, not the actual
config file format we will have at that time. In my blog, there are a
number of posts about it, but the bottom line is that it is not yet
Doc about current capabilities is here:
search for "Filter Conditions" on that page.
The properties you need are documented here:
Keep in mind they ARE CASE-SENSITIVE! (and don't ask me why I had that
As always, feedback is appreciated. I would be most interested to learn
at which final config you arrived.
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Scott Baker
> Sent: Friday, December 21, 2007 1:23 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Separating logs by host?
> Rainer Gerhards wrote:
> > I need to think about the real question a bit ;) Not an immediate
> > solution ... but not hopeless either ;)
> > On v2/v3 - v2 will be the next stable release:
> > http://rgerhards.blogspot.com/2007/12/begun-working-on-rsyslog-
> Another good example is that we have several linux mail servers. I
> like to aggregate all of their logging to one rsyslog server. They
> all log to mail.* on their local machines, and then forward also to
> my rsyslog server.
> The problem is that shows up in my mail.* on the syslog server, and
> thus gets mixed in with the local mail.* from the syslog server
> itself. It would be nice to be able to separate those, by IP would
> be the easiest.
> mail.* /var/log/maillog
> 126.96.36.199/32:mail.* /var/log/mail-server.log
> Or something like that...
> Scott Baker - Canby Telcom
> RHCE - System Administrator - 503.266.8253
> rsyslog mailing list
More information about the rsyslog