[rsyslog] Separating logs by host?

Rainer Gerhards rgerhards at hq.adiscon.com
Fri Dec 21 11:07:36 CET 2007


Mmhhh... once we have expression support, that will be an easy thing to
do. Currently, I think there are a number of clumpsy work-arounds. We
are around two month away from expressions, at least if all goes well.

I think you can achive something with BDS-style filter blocks
(!progname/-host/+host), something along these lines:

-host
mail.*	/var/log/maillog
+hostname
mail.*	/var/log/mail-server.log

Of course, this is hostname specific (and that again is not the IP but
what is in the message...)

To get to the IP, I think you can get at least some way with class A,B,C
addresses, but NOT with any other masks. Here is the idea:

$template dsl, /var/log/dsl-%$NOW%.log
$template routers, /var/log/routers-%$NOW%.log
:FROMHOST, startswith, "192.168.1."   -?dsl
:FROMHOST, startswith, "192.168.3."   -?routers
:FROMHOST, startswith, "10.1.1."      -?routers

Common pitfall: be sure to include the trailing dot in the condition to
match. If the rule were

:FROMHOST, startswith, "192.168.1"   -?dsl

It would match 192.168.1.1.2, 192.168.1.1.2 but also 192.168.1.11.2!

With the current engine, there are unfortunately no logical operations
available. So you cannot check for mail facility or whatever else. A
somewhat crude work-around would be to include the facility in the file
name, e.g. by specifying it as follows:

$template dsl, /var/log/dsl-%syslogfacility-text%-%$NOW%.log

That, of course, will result in a file written for each facility, even
those that you are not interested in. A unfortunately do not have a
solution for this now.

With v3 expressions, I envision something along these lines:

If maskmatch(FROMHOST, "192.168.1.0", 24) and syslog-facility-text ==
"mail" then 
    writefile "/var/log/dslmail-%$NOW%"

But that is not possible yet. And this is only an idea, not the actual
config file format we will have at that time. In my blog, there are a
number of posts about it, but the bottom line is that it is not yet
designed:

http://rgerhards.blogspot.com/2007/08/on-rsyslog-config-file-format.html

Doc about current capabilities is here:
 
http://www.rsyslog.com/module-Static_Docs-view-f-rsyslog_conf.html.phtml

search for "Filter Conditions" on that page.

The properties you need are documented here:
 
http://www.rsyslog.com/module-Static_Docs-view-f-property_replacer.html.
phtml

Keep in mind they ARE CASE-SENSITIVE! (and don't ask me why I had that
idea... ;))

As always, feedback is appreciated. I would be most interested to learn
at which final config you arrived.

Thanks,
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Scott Baker
> Sent: Friday, December 21, 2007 1:23 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Separating logs by host?
> 
> Rainer Gerhards wrote:
> > I need to think about the real question a bit ;) Not an immediate
> > solution ... but not hopeless either ;)
> >
> > On v2/v3 - v2 will be the next stable release:
> > http://rgerhards.blogspot.com/2007/12/begun-working-on-rsyslog-
> v3.html
> 
> Another good example is that we have several linux mail servers. I
> like to aggregate all of their logging to one rsyslog server. They
> all log to mail.* on their local machines, and then forward also to
> my rsyslog server.
> 
> The problem is that shows up in my mail.* on the syslog server, and
> thus gets mixed in with the local mail.* from the syslog server
> itself. It would be nice to be able to separate those, by IP would
> be the easiest.
> 
> mail.*				/var/log/maillog
> 1.2.3.4/32:mail.*		/var/log/mail-server.log
> 
> Or something like that...
> 
> --
> Scott Baker - Canby Telcom
> RHCE - System Administrator - 503.266.8253
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog



More information about the rsyslog mailing list