0

I've got a very simple setup with logs being collected from three servers: 10.0.4.1, 10.0.4.2, and 10.0.4.3

Config files, in /etc/rsyslog.d/syslogconfig.conf, follow this pattern [with changed IP addresses]:

# Remote devices config for syslog

#10.0.4.1
:HOSTNAME, isequal, "10.0.4.1" /var/log/syslog-a.log
& stop

I want to consolidate logs from all three servers into a single file, but no matter what I try* I can't get it to work.

*[ I've tried duplicating :HOSTNAME line as above for each log generating server, followed by '& stop' and also

:msg, regex, ".*10.0.4.[1-3[{1}.*"

]

Lorccan
  • 101
  • 1
  • plain `regex` means basic regular expressions here - unescaped curly braces do not have special meaning there (but you do not need them here, anyway, try `:hostname, regex, "10.0.4.[123]$"`) – anx Oct 26 '20 at 23:16
  • Thanks, but no luck. With that, I am only getting logs from 10.0.4.1 (which, admittedly, is generating more than the other two). I have restarted the `rsyslog` service each time I've modded the config, so it's not that that's causing the problem. – Lorccan Oct 27 '20 at 19:19
  • Show your full config & results, then. As it stands, its not exactly clear from your question which log entries currently go where (and whether logs from the other hosts are collected at all). – anx Oct 27 '20 at 19:42

0 Answers0