Welcome to the Linux Foundation Forum!

Prevent rsyslog from writing messages from remote hosts to /var/log/messages

Hi,

I am configuring rsyslog to capture messages from remotes hosts to /var/log/remotehosts. It is working, but messages from remote hosts are also going to /var/log/messages. Is there a way to prevent that from happening? My rsyslog follows

Thanks in advance,

Leonard

# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imklog # provides kernel logging support (previously done by rklogd)

#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerAddress 0.0.0.0

$UDPServerRun 514

# Provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,

# not useful and an extreme performance hit

#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

$template DailyPerHostLogs,"/var/log/remotehosts/%HOSTNAME%.%$YEAR%-%$MONTH%-%$DAY%.log"

*.* -?DailyPerHostLogs;TraditionalFormat

## This section added to prevent remote messages from being looged to messages

if $source == 'smctux01' and $syslogseverity <= '6' then /var/log/messages;TraditionalFormat<br />
#######

#### RULES ####

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

Comments

  • Goineasy9
    Goineasy9 Posts: 1,114
    You seem to know your way around rsyslog, so, I won't post any Google links. I myself, don't know of an option that will help you filter what goes in to /var/log/messages. Hopefully someone who has an answer will see the post. Be Patient.
  • winnux
    winnux Posts: 4
    I was fighting this same issue today and came up with what I believe is a solution. I run CentOS servers and my solution focuses on that distro.

    #1 - update to the latest version of syslog
    create /etc/yum.repos.d/rsyslog.repo and place the following into it
    [rsyslog_v7]
    name=Adiscon CentOS-$releasever - local packages for $basearch
    baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch
    enabled=1
    gpgcheck=0
    gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
    protect=1
    

    Move your existing /etc/rsyslog.conf file to another directory prior to upgrade. This will allow the installer to create a new conf file for you. You can copy/paste your custom settings into the new file post upgrade.

    Execute the command 'yum update rsyslog' to update rsyslog.

    #2
    The following code shuld be placed before the "*.info;mail.none;authpriv.none;cron.none /var/log/messages" entry. Be sure you replace <ServerName> in the example below with the name of your central logging server
    # Log each remote host into it's own directory and then discard remote server logs:
    $template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log"
    if ($hostname != '<ServerName>') then ?RemoteHost
    & ~
    

    From my research on this, position in the file is critical, you must capture the remote server logs, place them into the dedicated location and discard them when done prior to the *.info entry.

    I hope this helps. I am not guaranteeing that there will be no issues with this setup. As far as I can tell, logging to the local server is working normally and remote hosts all get their own directory and a file with the date string (properly sorting) embedded.

    You'll want to check out the link below to make sure you are compressing the old log files.
    http://wiki.rsyslog.com/index.php/DailyLogRotation
  • Nikhil174
    Nikhil174 Posts: 4
    Hi winnux,

    I had worked with the following script its storing with a seprate folder but not able to discard.

    And I need ur help in one more thing

    Actually i am usng a siem tool and i want to forward the rsyslog server logs to SIEM Tool.
    And IN SIEM It should show the hostname of the original source from where the log is genrated.

    Cleint
    >Central Rsyslog Server
    > SIEM

  • winnux
    winnux Posts: 4
    Unless you are doing some processing on the central logging server that changes data in the logs passing logs to it first and forwarding them to SIEM offers no advantage vs. sending logs to both servers directly from each host. If I were setting this up I would likely set it up this way.

    If you must send them to the central logging server first and then forward them, something like the code example below *might* work. I have not tested this, it's just a best guess effort on my part to get you headed in the right direction (hopefully).
    # forward all logs to SIEM host. Change 192.168.0.1 to the IP of your SIEM host
    $template SIEM,"<%PRI%>%HOSTNAME%%TIMESTAMP%%syslogtag%%msg%\""
    *.* @192.168.0.1;SIEM
    
    # Log each remote host into it's own directory and then discard remote server logs:
    $template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log"
    
    #if rule to call RemoteHost template
    if ($hostname != '<ServerName>') then ?RemoteHost
    & ~
    
    
  • Nikhil174
    Nikhil174 Posts: 4
    Thanks For Reply I will try this one and let you know.
    One more thing i want to Know is Whether it is possible to display original hostname as source from where the log is genrated in SIEM instead of displaying the central log server name.

    Means Client Hostname instead of displaying Central log server name.
  • winnux
    winnux Posts: 4
    If you forward from the original server to your logging server and your SIEM server, you'll preserve host.

    @original.host
    @siem.host
  • Nikhil174
    Nikhil174 Posts: 4
    I Am Trying to Configure a Central Syslog server which will collect all the logs from client and forward it to SIEM Machine.

    Central log server will act as a Relay server transparent to SIEM

    And In the SIEM it would display client name instead of Central rsyslog server name
  • winnux
    winnux Posts: 4
    I understood that was what you wanted to do. My question was, why forward from the central logging server to SIEM? Unless there is processing done to the logs before they are forwarded, there is no benefit to sending them to the central logging server first then to SIEM, barring some network connectivity / trust problem.

    The rules in my first reply will hopefully forward while preserving the hostname, however if you can simply forward to each host from the original server you're eliminating the need to preserve hostname, the proper hostname will show as the source on each target.
  • Nikhil174
    Nikhil174 Posts: 4
    Thanks

    I will try this one tommorow and let u know,

    We have some Infrastructure requirement to set Central syslog as a transparent / relay server

Categories

Upcoming Training