[rsyslog] Logging all messages from a remote server

[david at lang.hm]

On Sun, 15 Mar 2009, Julian Yap wrote:

> I'm having trouble logging ALL the syslog messages received from a
> server.  I'm not sure if it's because it's from a non-standard piece
> of hardware (ie. not a Linux server).  Logging to another server
> running syslogd works fine (but syslogd doesn't allow me to log
> messages from a remote server to a separate file and it's not my
> central syslogd server).
>
> I've tried several lines but none seem to work for me:
> if $fromhost == 'server' then /var/log/remote/server/all
> if $source == 'server' then /var/log/remote/server/all
> :FROMHOST, isequal, "server" /var/log/remote/server/all
> if $fromhost == 'server.domain.com' then /var/log/remote/server/all
> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all

there are a few possible reasons that this could have problems

is it that you have a high volume of logs and some just get dropped?

if you just write everything to a file (*.* /var/log/test) does it have 
all the logs from this server? or is it missing some?

do the logs from this server sometimes include the host and sometimes not?

what is different between the logs that you match and the ones that you 
miss?

David Lang