0

I've always used Syslog-NG for my logging situations, but my hands are tied and I have to use rsyslog, something I'm not overly familiar with.

I largely understand how to configure it, however, one of the ways I want to do it is to categorise by device type, ie, Linux device logs go into a linux folder, same for windows etc etc.

With Syslog-NG, I was able to do this by having a different port for each device type, and then having Syslog-ng place it in the correct folder by the port.

I can't find a way of doing this is in rsyslog. I've tried templates, but all that's doing is putting everything in the linux folder and everything in the windows folder, essentially duplicating. I've tried with filters, but getting nowhere with that either.

Firstly, does anyone know if its possible to categorise logs this way? And if so, could you point me in the right direction?

Improve this question

2 Answers 2

Reset to default
1

If you want to input from a given tcp port to go to one logfile, and from a second tcp port to go to another, check out Multiple Rulesets. The example Split local and remote logging for three different ports cut down to 2 tcp ports 10514 and 10515 gives you:

ruleset(name="remote10514"){ action(type="omfile" file="/var/log/fileA") } ruleset(name="remote10515"){ action(type="omfile" file="/var/log/fileB") } input(type="imptcp" port="10514" ruleset="remote10514") input(type="imptcp" port="10515" ruleset="remote10515")

Inside each ruleset(){...} you can have any usual further filtering and templating.

Improve this answer
3
  • Hm, I previously tried something similar but with templates included for file names etc. Maybe I binded the templates wrong. I'll go back to it and try again and then set as answer once I get it working :). Commented Apr 4, 2019 at 14:11
  • Note that rsyslog has lots of versions, all with differences, so you may find some syntax doesn't work as expected. Add your rsyslog version number to your original question if so. Rulesets came in from versions 4.5.0 and 5.1.1. Commented Apr 4, 2019 at 14:44
  • I got it working perfectly, thanks. A combination of yours worked, a slight change to the ruleset: ruleset(name="remote10515"){ action(type="omfile" DynaFile="RemoteWinTem") Both seem to be working perfectly now. Many thanks :) Commented Apr 4, 2019 at 14:59
0

I stumbled upon the same problem just yesterday. The solution here did not work out of the box.
This is what I came up with. Here is the content of my port515.conf under /etc/rsyslog.d:

$ActionQueueFileName port515 $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 $ModLoad imudp.so $template tmpl_remote515, "/var/log/port515.log" $RuleSet Remote515 $RulesetCreateMainQueue on *.* -?tmpl_remote515 $InputUDPServerBindRuleset Remote515 $UDPServerRun 515

It works like a charm and puts everything coming in on UDP Port 515 into a separate file. You may see "module 'imudp.so' already in this config, cannot be added", in journalctl when starting the service. This happens if you set up multiple ports with above config and only change port numbers. I suggest you only load the UDP module once in /etc/rsyslog.conf either via

$ModLoad imudp.so

or

module(load="imudp")
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.