I've set up rsyslog (according to guides like this) to ingest remote logs via the following general configuration:
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")
module(load="imklog" permitnonkernelfacility="on")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
Additionally, I've created the file /etc/rsyslog.d/remote.conf with those contents:
$template RemoteLogs,"/mnt/monitoring-logs/logs/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
$template HostAudit, "/mnt/monitoring-logs/logs/%HOSTNAME%/audit.log"
local6.* ?HostAudit
& ~
This works in the sense that it creates the respective hostname directories and specific logs. However, I also see all logs duplicated in my local host's logfiles (in /var/log). For instance, /var/log/syslog contains messages not only from the monitoring server's host, but also all other remote hosts.
How can I prevent this type of duplication? I'd only like to see the messages from the host itself being logged to the default log files.
I guess I need some way to stop forwarding these specific remote logs. Looking at the documentation (which I found from the link in this question) I noted there is a way to add a ruleset, so I changed my general config to this:
ruleset(name="remote") {
action(type="omfile" file="/mnt/monitoring-logs/logs/%HOSTNAME%/%PROGRAMNAME%.log")
stop
}
# ...
input(type="imudp" port="514" ruleset="remote")
input(type="imtcp" port="514" ruleset="remote")
This made it stop ingesting remote logs to the general logfiles, but it also made it stop writing the output to the dedicated /mnt/monitoring-logs folder.
