Prevent rsyslog from writing messages from remote hosts to /var/log/messages
Hi,
I am configuring rsyslog to capture messages from remotes hosts to /var/log/remotehosts. It is working, but messages from remote hosts are also going to /var/log/messages. Is there a way to prevent that from happening? My rsyslog follows
Thanks in advance,
Leonard
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerAddress 0.0.0.0
$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
$template DailyPerHostLogs,"/var/log/remotehosts/%HOSTNAME%.%$YEAR%-%$MONTH%-%$DAY%.log"
*.* -?DailyPerHostLogs;TraditionalFormat
## This section added to prevent remote messages from being looged to messages
if $source == 'smctux01' and $syslogseverity <= '6' then /var/log/messages;TraditionalFormat<br />
#######
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Comments
#1 - update to the latest version of syslog
create /etc/yum.repos.d/rsyslog.repo and place the following into it
Move your existing /etc/rsyslog.conf file to another directory prior to upgrade. This will allow the installer to create a new conf file for you. You can copy/paste your custom settings into the new file post upgrade.
Execute the command 'yum update rsyslog' to update rsyslog.
#2
The following code shuld be placed before the "*.info;mail.none;authpriv.none;cron.none /var/log/messages" entry. Be sure you replace <ServerName> in the example below with the name of your central logging server
From my research on this, position in the file is critical, you must capture the remote server logs, place them into the dedicated location and discard them when done prior to the *.info entry.
I hope this helps. I am not guaranteeing that there will be no issues with this setup. As far as I can tell, logging to the local server is working normally and remote hosts all get their own directory and a file with the date string (properly sorting) embedded.
You'll want to check out the link below to make sure you are compressing the old log files.
http://wiki.rsyslog.com/index.php/DailyLogRotation
I had worked with the following script its storing with a seprate folder but not able to discard.
And I need ur help in one more thing
Actually i am usng a siem tool and i want to forward the rsyslog server logs to SIEM Tool.
And IN SIEM It should show the hostname of the original source from where the log is genrated.
Cleint
>Central Rsyslog Server
> SIEM
If you must send them to the central logging server first and then forward them, something like the code example below *might* work. I have not tested this, it's just a best guess effort on my part to get you headed in the right direction (hopefully).
One more thing i want to Know is Whether it is possible to display original hostname as source from where the log is genrated in SIEM instead of displaying the central log server name.
Means Client Hostname instead of displaying Central log server name.
@original.host
@siem.host
Central log server will act as a Relay server transparent to SIEM
And In the SIEM it would display client name instead of Central rsyslog server name
The rules in my first reply will hopefully forward while preserving the hostname, however if you can simply forward to each host from the original server you're eliminating the need to preserve hostname, the proper hostname will show as the source on each target.
I will try this one tommorow and let u know,
We have some Infrastructure requirement to set Central syslog as a transparent / relay server