6

I want to configure rsyslog on a centralised server so that all the logs of clients are stored at one place now the problem I'm having is I dont know how to implement rsyslog so that it creates logs based on programmes on client machines i.e. like 'httpd' etc. and save them in different files i.e. '/var/log/httpd.log' and while it sends the log to the remote server the files should be saved like '/var/log/ip-address of host/httpd.log' I have these two problems

  1. Logs should be created on programme basis
  2. while logs are transmitted to remote server they should be stored on program basis with different directories for different hosts.

I hope I made my question clear. Please help.

For creating log based on programme I believe I will have to use something like on client side

 if $programname == 'httpd' and $syslogseverity <= '6' then /var/log/httpd.log

 if $programname == 'httpd' and $syslogseverity <= '6' then ~

I also found this question but it doesn't completely solves my problem

how to configure rsyslog

Community
  • 1
Tarun
  • 4,275
  • 15
  • 53
  • 74

1 Answers1

3

You need to first configure your rsyslog server to be able to receive messages from the clients

Edit your server's rsyslog configuration file and create or make sure that the following lines exist:

$ModLoad imuxsock 
$ModLoad imklog
# provides UDP syslog reception. For TCP, load imtcp. For TCP use InputServerRun 514
$ModLoad imudp
# This will save the log file is a separate directory for each client's IP
$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
#Create a rule for each application you need to filter, ie: httpd messages
$template HTTPD,"/var/log/%fromhost-ip%/httpd.log"

#Create a separate log rule for the specific application
if $programname == 'httpd' then ?HTTPD
&~

#Dump all remaining messages that do not match the filters created into one file
*.* ?FILENAME

After that you need to go to each client and add the following lines to the rsyslog.conf file:

$ModLoad imuxsock
$ModLoad imklog
# Provides UDP forwarding. For TCP use @@server_ip
*.* @server_ip:514

And you should be ready. Everything that the clients send to to server will be filtered with the rules you created and the messages will be saved to the files on each client's IP address folder according to the templates you made on the server side.

Bruno Pereira
  • 74,715