Linux.com

Home Linux Community Forums Software Productivity Prevent rsyslog from writing messages from remote hosts to /var/log/messages

Prevent rsyslog from writing messages from remote hosts to /var/log/messages

Link to this post 10 Sep 12

Hi,
I am configuring rsyslog to capture messages from remotes hosts to /var/log/remotehosts. It is working, but messages from remote hosts are also going to /var/log/messages. Is there a way to prevent that from happening? My rsyslog follows

Thanks in advance,
Leonard

# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerAddress 0.0.0.0
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

$template DailyPerHostLogs,"/var/log/remotehosts/%HOSTNAME%.%$YEAR%-%$MONTH%-%$DAY%.log"
*.* -?DailyPerHostLogs;TraditionalFormat

## This section added to prevent remote messages from being looged to messages
if $source == 'smctux01' and $syslogseverity <= '6' then /var/log/messages;TraditionalFormat
#######

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

Link to this post 12 Sep 12

You seem to know your way around rsyslog, so, I won't post any Google links. I myself, don't know of an option that will help you filter what goes in to /var/log/messages. Hopefully someone who has an answer will see the post. Be Patient.

Link to this post 25 Apr 13

I was fighting this same issue today and came up with what I believe is a solution. I run CentOS servers and my solution focuses on that distro.

#1 - update to the latest version of syslog
create /etc/yum.repos.d/rsyslog.repo and place the following into it


[rsyslog_v7]
name=Adiscon CentOS-$releasever - local packages for $basearch
baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
protect=1

Move your existing /etc/rsyslog.conf file to another directory prior to upgrade. This will allow the installer to create a new conf file for you. You can copy/paste your custom settings into the new file post upgrade.

Execute the command 'yum update rsyslog' to update rsyslog.

#2
The following code shuld be placed before the "*.info;mail.none;authpriv.none;cron.none /var/log/messages" entry. Be sure you replace <ServerName> in the example below with the name of your central logging server


# Log each remote host into it's own directory and then discard remote server logs:
$template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log"
if ($hostname != '<ServerName>') then ?RemoteHost
& ~

From my research on this, position in the file is critical, you must capture the remote server logs, place them into the dedicated location and discard them when done prior to the *.info entry.

I hope this helps. I am not guaranteeing that there will be no issues with this setup. As far as I can tell, logging to the local server is working normally and remote hosts all get their own directory and a file with the date string (properly sorting) embedded.

You'll want to check out the link below to make sure you are compressing the old log files.
http://wiki.rsyslog.com/index.php/DailyLogRotation

Link to this post 03 Jul 13

Hi winnux,

I had worked with the following script its storing with a seprate folder but not able to discard.

And I need ur help in one more thing

Actually i am usng a siem tool and i want to forward the rsyslog server logs to SIEM Tool.
And IN SIEM It should show the hostname of the original source from where the log is genrated.

Cleint------>Central Rsyslog Server -----> SIEM

Link to this post 03 Jul 13

Unless you are doing some processing on the central logging server that changes data in the logs passing logs to it first and forwarding them to SIEM offers no advantage vs. sending logs to both servers directly from each host. If I were setting this up I would likely set it up this way.

If you must send them to the central logging server first and then forward them, something like the code example below *might* work. I have not tested this, it's just a best guess effort on my part to get you headed in the right direction (hopefully).


# forward all logs to SIEM host. Change 192.168.0.1 to the IP of your SIEM host
$template SIEM,"<%PRI%>%HOSTNAME%%TIMESTAMP%%syslogtag%%msg%\""
*.* @192.168.0.1;SIEM

# Log each remote host into it's own directory and then discard remote server logs:
$template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log"

#if rule to call RemoteHost template
if ($hostname != '<ServerName>') then ?RemoteHost
& ~

Link to this post 03 Jul 13

Thanks For Reply I will try this one and let you know.
One more thing i want to Know is Whether it is possible to display original hostname as source from where the log is genrated in SIEM instead of displaying the central log server name.

Means Client Hostname instead of displaying Central log server name.

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board