[rsyslog-notify] Forum Thread: Multiple remote hosts - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Mon Apr 18 18:56:38 CEST 2016 

User: mabo 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26495#p26495

Message: 
----------
Hi,

I am completely new to rsyslog, can someone tell me if the following is
possible, and how do I need to change the syslog.conf file to do this ?

I would like to receive syslog information from a number of voice gateways
(iad),
and write their logs in a separate directory per host, and a separate file
per day.
And not in /var/log/messages or /var/log/boot.log as it is now
As technicians are regularly adding remote hosts, I would like rsyslog to
create the directory with the hostname and in it the files with the
hostname and date, for example if 14T-ONE425 is the hostname that is sent
into the syslog message
/var/log/iad/14T-ONE425/14T-ONE425-160418.log

I also would like to limit rsyslog messages from within a certain subnet, 
but I suppose this should be handled by iptables, or is there a setting in
rsyslog also ?

With my current config, syslog messages from my voice gateway devices 
arrive in /var/log/messages (info level) and in /var/log/boot.log and in
/var/log/iad (debug level)

I configured the device as follows: syslog server 192.168.1.248 23
→ it will send all debug and info messages to a syslog server
This is a test on my private network, in practice the devices and syslog
server will have public IP@

[b:38sp2jir]This is my rsyslog.conf file[/b:38sp2jir]
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see <!-- m --><a class="postlink"
href="http://www.rsyslog.com/doc/troubleshoot.html">http://www.rsyslog.com/doc/troubleshoot.html</a><!--
m -->

[b:38sp2jir]# I tried this but it does not work, I found something similar
in rsyslog FAQ
#$template iad,
"/var/log/iad/%HOSTNAME%/%HOSTNAME%%$YEAR%/%$MONTH%/%$DAY%.log"
#.debug; -?iad[/b:38sp2jir]

[color=#FF4000:38sp2jir]# rsyslogd -N2
rsyslogd: version 7.4.7, config validation run (level 2), master config
/etc/rsyslog.conf
rsyslogd: unknown priority name ""[/color:38sp2jir]


#### MODULES ####

# The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

[b:38sp2jir]# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514[/b:38sp2jir]


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually
not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

[b:38sp2jir]# log debug messages to iad file   this works
#*.debug;mail.none;authpriv.none;cron.none               
/var/log/iad[/b:38sp2jir]

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###


[b:38sp2jir]This is what I see in wireshark (lan tracer)[/b:38sp2jir]
Syslog message: LOCAL7.DEBUG: 14T-ONE425 : Apr 18 15:49:28 UAC
[192.168.1.218:5060] -> UAS [xxx.xxx.xxx.xxx:5060] INVITE 180 Ringing
call-id:SDqbg4e01-019104681ce4a2ba8ca9dd2fd5105c45-aobs0j0 (UDP)

14T-ONE425 : SIP/2.0 180 Ringing
Allow-Events: hold,talk
Call-ID: SDqbg4e01-019104681ce4a2ba8ca9dd2fd5105c45-aobs0j0
CSeq: 1 INVITE
From: "+xxx.xxx.xxx.xxx"
<sip:+xxx.xxx.xxx.xxx at ies.belgacom.be;user=phone>;tag=SDqbg4e01-570818f8-5714e5e8144554e4-gm-pt-lucentPCSF-026904
Server: OneAccess/ONEOS16-VOIP_PROXY_11N-V5.2R1E5 (ONE425)
To: "yy123456789 yy123456789"
<sip:+yy123456789 at ies.belgacom.be;user=phone>;tag=442D
Via: SIP/2.0/UDP 

xxx.xxx.xxx.xxx:5060;received=xxx.xxx.xxx.xxx;branch=z9hG4bKjsu2nh309oqk7g2rivg0.1
Content-Length: 0

Syslog message: LOCAL7.DEBUG: 14T-ONE425 : \r\n[11 : 516]\r\n\n






[b:38sp2jir]This is what comes into /var/log/boot.log
  and in /var/log/iad  [/b:38sp2jir]

Apr 18 15:49:25 14T-ONE425 : Apr 18 15:49:28 UAC [192.168.1.218:5060] ->
UAS [xxx.xxx.xxx.xxx:5060] INVITE 180 Ringing
call-id:SDqbg4e01-019104681ce4a2ba8ca9dd2fd5105c45-aobs0j0 (UDP)

Apr 18 15:49:25 14T-ONE425 : SIP/2.0 180 Ringing#015#012Allow-Events:
hold,talk#015#012Call-ID:
SDqbg4e01-019104681ce4a2ba8ca9dd2fd5105c45-aobs0j0#015#012CSeq: 1
INVITE#015#012From: "+xxx.xxx.xxx.xxx"
<sip:+xxx.xxx.xxx.xxx at ies.belgacom.be;user=phone>;tag=SDqbg4e01-570818f8-5714e5e8144554e4-gm-pt-lucentPCSF-026904#015#012Server:
OneAccess/ONEOS16-VOIP_PROXY_11N-V5.2R1E5 (ONE425)#015#012To: "yy123456789
yy123456789"
<sip:+yy123456789 at ies.belgacom.be;user=phone>;tag=442D#015#012Via:
SIP/2.0/UDP
xxx.xxx.xxx.xxx:5060;received=xxx.xxx.xxx.xxx;branch=z9hG4bKjsu2nh309oqk7g2rivg0.1#015#012Content-Length:
0#015#012#015
Apr 18 15:49:25 14T-ONE425 : #015#012[11 : 516]#015#012

More information about the rsyslog-notify mailing list