1

I am trying to log messages from a specific remote host to a separate log file (and only to that file). I tried this:

# cat /etc/rsyslog.d/avs110door.conf if $fromhost == 'avs110' then /var/log/avs110-door.log & stop

The log file is not created, and the messages form that host are still sent to user.log, syslog, messages and auth.log (depending on the facility).

I did run systemctl restart rsyslog.service and other .conf files from that directory do work as expected.

This is a Debian Jessie server with rsyslog version 8.4.2-1+deb8u2.

The messages in the wrong files are like this (so the remote hostname is indeed 'avs110' as in my .conf file condition):

Jul 18 18:27:19 avs110 sshd[781]: Server listening on :: port 22. Jul 18 18:27:39 avs110 engine[844]: Finished initialization Jul 18 18:44:20 avs110 engine[844]: Calling sip:[email protected]:5060
Improve this question

1 Answer 1

Reset to default
3

It turned out that the $fromhost variable is not the host name as it appears in the message, but the fully qualified domain name. The message's hostname is in another variable: $hostname.

So what I had tried didn't work, but any of the following do work to send logs from a specific host to a specific log file:

  • $hostname : as it appears in the message
  • $fromhost : FQDN from reverse lookup
  • $fromhost-ip : well, that one is obvious: the IP

Or:

if $hostname == 'avs110' then /var/log/avs110.log & stop if $fromhost == 'avs110.example.com' then /var/log/avs110.log & stop if $fromhost-ip == '192.168.44.159' then /var/log/avs110.log & stop
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.