[rsyslog-notify] Forum Thread: remote log to journald - (Mode 'edit_topic')

noreply at adiscon.com noreply at adiscon.com
Mon Jun 29 15:51:22 CEST 2015 

User: g1ra 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25726#p25726

Message: 
----------
I want to remote log to remote-server-journald .

[b:2svib3ex]The problem is : in the journald the log dont show the client
servername or IP address. I can't decide or filter where the log entry came
from.[/b:2svib3ex]

I have two RHEL7 box with rsyslogd 7.4.7
 One is a logging server, other is a client. 

On the client I have this config: 
[code:2svib3ex]$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$IncludeConfig /etc/rsyslog.d/*.conf

$OmitLocalLogging on

$IMJournalStateFile imjournal.state

*.info;mail.none;authpriv.none;cron.none               
/var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                 
-/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                
:omusrmsg:*

uucp,news.crit                                         
/var/log/spooler

local7.*                                               
/var/log/boot.log

*.* @@192.168.122.150:514
[/code:2svib3ex]

On the Server I have this config: 
[code:2svib3ex]
input(type="imtcp" port="514" ruleset="writeToJournal")
ruleset(name="writeToJournal") {
        action(type="omjournal")
}

$WorkDirectory /var/lib/rsyslog

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat


$IncludeConfig /etc/rsyslog.d/*.conf

$OmitLocalLogging on

*.info;mail.none;authpriv.none;cron.none               
/var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                 
-/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                
:omusrmsg:*

uucp,news.crit                                         
/var/log/spooler

local7.*                                               
/var/log/boot.log
[/code:2svib3ex]

On the client I make a log entry: 
[code:2svib3ex]logger -p local0.notice -t TEST
"Test$(date)"[/code:2svib3ex]

On the server I see this entry in journal: 
[code:2svib3ex]Jun 29 15:35:33 ipa.lnet
TEST:[5596]:  TestMon Jun 29 15:35:32 CEST
2015[/code:2svib3ex]

i[b:2svib3ex]pa.lnet is NOT the client name ,but the server ! This is the
problem. [/b:2svib3ex]
How can I tell to omjournal that I need the client name to journald??

If I log to /var/log/messages then the client name is correctly written.

More information about the rsyslog-notify mailing list