N00b Rsyslog.conf Question – How To Separate Local Syslog From Network Appliance Syslog?

Home » CentOS » N00b Rsyslog.conf Question – How To Separate Local Syslog From Network Appliance Syslog?
CentOS 1 Comment

I have several network appliances, and I want aggregate their syslog output for later analysis. Eventually I might think about a Splunk box, but for the interim I’m hoping to just build a CentOS 6 syslog server and have it aggregate everything on it for quick review.

I installed rsyslog and am looking through the /etc/rsyslog.conf file for what I configure to (a) listen for syslog input from other devices (UDP port 514 is fine), (b) make a log, and (c) log rotate files.

(a) I see in there (if I comment it out)

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

(Obviously add an iptables rule to let this traffic in)

(b) I see options in there, but am not sure how to separate the local logs from the remote logs. Is it something like the following?

*.*;local6.none;
auth,authpriv.none -/var/log/syslog

(c) I understand I can do if I edit
/etc/logrotate.d/MyNetworkAppliance.log. This isn’t as big of a concern right now. Just trying to figure out how to log things separately. :/

Any suggestions on what I should do to make this work?

One thought on - N00b Rsyslog.conf Question – How To Separate Local Syslog From Network Appliance Syslog?

  • Hello,

    this is how I do it.

    (c)

    $template Tdefault,”/logs/%fromhost-ip%/%syslogfacility-text%.%$YEAR%-%$MONTH%-%$DAY%.log”
    $template FileFormat,”%TIMESTAMP:::date-rfc3339% %HOSTNAME%
    %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n”

    *.* -?Tdefault;FileFormat

    (b)
    Dropping not localhost. All event not from localhost are _dropped_
    because of the following rule. This is the end of the config file, dealing only with local logs:

    :fromhost-ip, !isequal, “127.0.0.1” ~

    #kern.* /dev/console

    # Log anything (except mail) of level info or higher.
    # Don’t log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none /var/log/messages

    …and so on (standart rsyslog.conf). Mind the line breaks, if lines are wrapped in email.

    Ignas

LEAVE A COMMENT