[rsyslog-notify] Forum Thread: Re: Prevent rsyslog server from indexing its own logs - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Fri Nov 20 11:12:03 CET 2015 

User: wegdave 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26179#p26179

Message: 
----------
Hello.
Of course. 

I installed rsyslog on a server called brjgs058. This server is the central
syslog collector server and will index the syslog forwarded by 250 devices.

In brjgs058:

Created the following directory to index all logs:
[b:c9txp3zj]/var/log/rsyslog[/b:c9txp3zj]

Inside of this directory:
[b:c9txp3zj]drwx------ 2 root root 4096 Nov 19 15:07 10.1.89.1
drwx------ 2 root root 4096 Nov 19 15:07 10.1.89.3
drwx------ 2 root root 4096 Nov 19 15:07 10.1.89.5
drwx------ 2 root root 4096 Nov 19 15:07 10.1.89.8
drwx------ 2 root root 4096 Nov 19 15:07 10.1.89.9
drwx------ 2 root root 4096 Nov 19 15:12 10.2.118.163
drwx------ 2 root root 4096 Nov 19 16:28 brjgs058
[/b:c9txp3zj]

These IP adresses are those devices that should have its logs indexed.
Working properly.

What I don't want to have is that directory named "brjgs058" with the local
server rsyslogs. I want to prevent brjgs058 from creating them there, or
creating it at all.

What logs, hmm... Everything that these devices could send through syslog
is interesting to me.

The current server conf is:

[color=#400080:c9txp3zj]

#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imklog   # provides kernel logging support (previously done by
rklogd)
$ModLoad imudp
$UDPServerRun 514

#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf

#### RULES ####
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

$template TmplSyslog, "/var/log/rsyslog/%HOSTNAME%/syslog.log"

# Save boot messages also to boot.log
user.*                                                  ?TmplSyslog
mail.*                                                  ?TmplSyslog
daemon.*                                                ?TmplSyslog
auth.*                                                  ?TmplSyslog
syslog.*                                                ?TmplSyslog
lpr.*                                                   ?TmplSyslog
news.*                                                  ?TmplSyslog
uucp.*                                                  ?TmplSyslog
cron.*                                                  ?TmplSyslog
security.*                                              ?TmplSyslog
ftp.*                                                   ?TmplSyslog
ntp.*                                                   ?TmplSyslog
logaudit.*                                              ?TmplSyslog
logalert.*                                              ?TmplSyslog
clock.*                                                 ?TmplSyslog
local0.*                                                ?TmplSyslog
local1.*                                                ?TmplSyslog
local2.*                                                ?TmplSyslog
local3.*                                                ?TmplSyslog
local4.*                                                ?TmplSyslog
local5.*                                                ?TmplSyslog
local6.*                                                ?TmplSyslog
local7.*                                                ?TmplSyslog

[/color:c9txp3zj]


I tried this, but it doesn't work.

if ($hostname = 'BRJGS058') then /var/log/messages

More information about the rsyslog-notify mailing list