2

I am in the middle of configuring a (r)syslog server as a remote server that receives logs from various clients.

I wonder whether there is a nicer way to dynamically generate multiple file names as opposed to create a template for any facility.priority whose filename should be created dynamically.

$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
kern.*                          ?FILENAME

besides that, do I have to explicitly tell the services/daemons to use TCP in order to use logging via TCP with (r)syslogd? Like when I turn off the server's ability to receive UDP packets, it stopps logging anything. Or differently put:

kern.*                           @loghost

doesn't work.

peterh
  • 4,953
  • 13
  • 30
  • 44
Andrew Tobey
  • 253
  • 1
  • 2
  • 8

2 Answers2

1

Yes, templates is a standard and recommended way to generate dynamic file names in rsyslog. They allow you to logically separate the file name format from the action and introduce clear structure to your config.

Regarding TCP, Jenny D already gave you correct answer. Please note that your hosts need to support syslog over TCP. Syslog was initially based on UDP, so depending on what versions of syslog daemons you are running on your hosts, TCP may not be possible on some or even all of them. TCP is supported by both rsyslog and syslog-ng.

For extra reference on rsyslog, RedHat has pretty nice documentation.

Community
  • 1
grekasius
  • 2,056
  • 12
  • 15
  • thx. works. but, when i try to write to kern.crit or syslog.crit just for testing purposes via the "logger" tool, nothing happens. all other services pass the logger test, though. can't i use logger to write to these facilities? – user3925905 8 mins ago – Andrew Tobey Aug 13 '14 at 09:39
  • 1
    As far as I remember `logger` doesn't allow to fake kernel messages for security reasons. There may be similar restriction for `syslog` facility as well. – grekasius Aug 13 '14 at 09:50
  • thx a lot, you were a great help! have a nice day. you made mine. – Andrew Tobey Aug 13 '14 at 09:50
0

From the manual page:

   To  forward  messages to another host via UDP, prepend the hostname
   with the at sign ("@").  To forward it via plain tcp,  prepend  two
   at signs ("@@").

So change your config line like so:

kern.*                           @@loghost

and tell rsyslog to reread the config file.

Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • i did. but the server won't receive anything! i am assuming that some services/daemons probably can't send via TCP to syslog or at least don't do that by default. – Andrew Tobey Aug 13 '14 at 08:40
  • My answer was based on the client machines also using rsyslog. If they're not, then you need to check the man page for whatever syslog version they're using. If it's a very old syslog then UDP is your only option. – Jenny D Aug 13 '14 at 08:43