rsyslog, log msgs in a different file
R C
cjvijf at gmail.com
Sun Feb 18 06:44:57 UTC 2024
On 2/17/24 23:13, Karl Auer wrote:
> On Sat, 2024-02-17 at 19:21 -0700, R C wrote:
>> but the messages from the switch are still ending up in
>> "/var/log/syslog"
> I'd have expected "*.* ?NetworkLogs" to work, but not sure about the
> asterisk at the end of your template line. I don'tthink that's a valid
> template option.
it doesn't seem to make a difference
>
> Maybe run "rsyslogd -f <your_config_file> -N 1"
>
> Or just "rsyslogd -N 1" if you've put your stuff in the main config
> file.
# rsyslogd -N 1
rsyslogd: version 8.24.0-57.el7_9.3, config validation run (level 1),
master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
>
> Also - once you think everything should work - try restarting rsyslogd.
> Can't remember if that's needed these days, but it can't hurt :-)
did that every time
>
> It may or may not be helpful, but this is how I direct my MikroTik
> router log entries into a separate file. The first line is the template
> ("stick it in this file"). The second line is the rule ("if the
> programname field is 'mikrotik', use the RouterLog template"). The
> third line stops processing the entry ("all done with that inbound log
> entry, thxbye"):
>
> $template RouterLog, "/var/log/mikrotik.log"
> :programname, isequal, "mikrotik" -?RouterLog
> & stop
That seems similar to what I do, I just want it bt source IP/hostname
>
> Those three lines are in /etc/rsyslog.d/30-mikrotik.conf. The "-"
> before the "?" means "disable syncing on this file". I'm pretty sure I
> did not need a template and could have just put "/var/log/mikrotik.log"
> where "?Routerlog" is, but you do need a template because you are
> constructing the logfile names dynamically.
>
> The man page sections on "Property-Based Filters" and "Available
> Properties" will explain the rule.
>
> I also had to configure my routers to send these entries with
> "mikrotik" in them, but that is a different problem.
>
> Regards, K.
>
I have the impression it is an "order thing", a rule gets applied,
rsyslog thinks it is done and never applies the rule I wrote.
(like in pam, it's top down, if you need the rule to apply it needs to
be checked before all/most others, I think that is why it ends up in
the default log.
Ron
Ron
More information about the ubuntu-users
mailing list