rsyslog, log msgs in a different file
R C
cjvijf at gmail.com
Mon Feb 19 00:40:56 UTC 2024
actually, what I ended up doing is check the ip address, and use that
to move themessages to a specific file.
something like:
if $fromhost-ip startswith '192.168.37.20' then
/var/log/network/seismo-ap.log
& stop
the startswith is not ideal, I'd rather see a "equals", but this works
better for now.
On 2/18/24 17:25, Karl Auer wrote:
> On Sun, 2024-02-18 at 09:48 -0700, R C wrote:
>> right, that was to make it work, to get ir started. I don't know how
>> to distinguish between remote hosts and the host itself.
> There are four ways (at least).
>
> 1: Have your remote hosts log to a different log host. Then you can
> have a completely independent setup for logging your remote hosts. Eay
> if you are using virtuals, not as easy with real hardware, and also
> means your logs are in two different places.
it's all 'real' hardware.
>
> 2: Run a second instance of rsyslogd on a different port on your
> current log host and have your remote hosts log to that.
>
> 3: Use filters on properties to send remote host logging to different
> files on your current log host. You need something in the log entries
> that is consistently different for remote hosts and local host.
> FROMHOST and HOSTNAME are likely candidates, or configure your remote
> hosts to explicitly add a tag of some sort to their log entries that
> you can then filter on your log host (cf. my MikroTik log entries).
that is what I am doing, the hostname thing is tricky. Some Cisco
stuff 'reports" it's hostname as "gateway" so ifyou have more than one
of those, that's an issue.
ip addresses work better (but a router which's ip is 192.168.1.1,
could(n my case does) reports to a host in 192.168.2.0 as if it's
(router) IP address is 192.16.8.2.1 (because that vlan (vlan 2) is knows
by the router and the logging host is in it. I'd like something
different then the 'startswith, because 192.168.1.1, 192.168.1.11 and
192.78.1.11 startswith 192.168.1.1. (but how you order things in that
/etc/rsyslo.d file can help out, not ideal, but it works.
>
> 4: A combination move - set up a separate log host as per 1:, or log
> destination as per 2:, and send your *local* log entries there as well.
> Now your "local" host is just another remote host. I have absolutely
> not tried this :-)
the different ports, rsyslog listening on is a good idea, however, a
little cluttered to me. For now distinguishing by IP seems the simplest
>
> Regards, K.
thanks for coming up with some scenarios, I really appreciate it,
Ron
>
More information about the ubuntu-users
mailing list