rsyslog relp - preventing remote logs from being written to my local /var/log

Question

I've set up a logging server using rsyslog with relp. It works just fine as far as receiving remote logs and placing them in /var/spool/rsyslog.

My problem is: most of these messages are appearing in my /var/log/messages file as well, which can get fairly huge, fairly fast.

My config on the logging server:

    #### MODULES ####

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

# RELP config
$ModLoad imrelp
$InputRELPServerRun 2514

#### GLOBAL DIRECTIVES ####

# Filter duplicated messages
$RepeatedMsgReduction on

# Set the default permissions for all log files.
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

# Where to place spool files
$WorkDirectory /var/spool/rsyslog

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# global templates
# DONT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING
$ActionFileDefaultTemplate RSYSLOG_ForwardFormat
$template precise,"%syslogpriority% %syslogfacility% %timegenerated% %HOSTNAME% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate precise

# This should place all remote log items into /var/spool/rsyslog
$template RemoteHost,"/var/spool/rsyslog/%programname%.log"

# My brain says: this prevents anything coming in from a remote host from
# being written in /var/log/whatever - MY BRAIN LIES TO ME!
if ($hostname != 'my.server.name') then ?RemoteHost
&~

My reading of the man page says that the hostname check and the "ampersand tilde" should prevent remote stuff from tainting my logfiles.

Clues?

DISTRIB_DESCRIPTION="Ubuntu 12.04.3 LTS"

score 1 · Accepted Answer · answered May 18 '15 at 08:20

you must have something like that at your rsyslog config file

*.*;auth,authpriv.none          -/var/log/syslog

If you take a look, you are registering ALL severities from ALL facilities, to the syslog file, except auth and authpriv facilities.

Simply add the facility wich you don't want to log, plus the "none" severity. I.E: local6:

*.*;auth,authpriv.none;local6.none          -/var/log/syslog

Of course, you must restart or reload rsyslog daemon after modify config files.

Hope this helps, if far simply from using complex rsyslog filters.

score 0 · Answer 2 · answered Dec 20 '13 at 13:26

i am not sure if you are able to use hostnames at that point.

personally i used $fromip == 'x.x.x.x' as a condition for different filenames.

below is a nice example which works for my setup , though it might be a problem if you have a lot of different ip ranges.

this is copied from

http://www.rsyslog.com/tag/more-complex-scenarios/

Storing Messages from a Remote System into a specific File Tuesday, February 23rd, 2010

This is a log-consolidation scenario. There exist at least two systems, a server and at least one client. The server is meant to gather log data from all the clients. Clients may (or may not) process and store messages locally. If they do, doesn’t matter here. See recipe Sending Messages to a Remote Syslog Server for how to configure the clients.

Messages from remote hosts in the 192.0.1.x network shall be written to one file and messages from remote hosts in the 192.0.2.x network shallbe written to another file. Things to think about

TCP recpetion is not a build-in capability. You need to load the imtcp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top.

Note that the server port address specified in $InputTCPServerRun must match the port address that the clients send messages to. Config Statements

$ModLoad imtcp
$InputTCPServerRun 10514
# do this in FRONT of the local/regular rules
if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log
& ~
# local/regular rules, like
*.* /var/log/syslog.log

score 0 · Answer 3 · edited Jul 13 '17 at 23:55

0

This is what is working for me.

For accepting syslog info from Remote Hosts

$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"
$template TempMsg,  "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth
& ~
if ($fromhost-ip != "127.0.0.1" ) then  ?TempMsg
& ~

edited Jul 13 '17 at 23:55

Cory Knutson

1,876
13
20

answered Jul 13 '17 at 17:03

Guest

1

score 0 · Answer 4 · answered Apr 22 '19 at 12:02

0

How about the following?

if ($hostname != $fromhost) then {
    ## No further processing.
    stop
}

answered Apr 22 '19 at 12:02

Onlyjob

348
1
7

rsyslog relp - preventing remote logs from being written to my local /var/log

4 Answers4