How to call template so rsyslog 8 creates one log file per client

Question

I'm using rsyslog 8.22 to receive syslog data sent from client hosts. My goal is to have one log file created per client.

I've found a lot of data on older versions of rsyslog, but the change in configuration syntax has thrown me.

This configuration proves rsyslog is working, but aggregates all entries into one file:

if $fromhost-ip startswith '192.168.117.' then {
    action(type="omfile" file="/var/log/network.log")
    stop
}

(The rest of my /etc/rsyslog.conf is default.)

The following is not working. (No file is created):

template (name="DynFile" type="string" string="/var/log/network-%fromhost-ip%.log")
if $fromhost-ip startswith '192.168.117.' then {
    action(type="omfile" file="DynFile")
    stop
}

What am I missing?

score 4 · Accepted Answer · answered Oct 04 '16 at 23:21

4

The fix is to specify dynaFile in the action argument (not file).

template (name="DynFile" type="string" string="/var/log/network-%fromhost-ip%.log")
if $fromhost-ip startswith '192.168.117.' then {
    action(type="omfile" dynaFile="DynFile")
    stop
}

This creates the expected results:

$ ls -l /var/log/network/    
-rw-r--r--. 1 root root       286 Oct  4 13:21 192.168.117.21.log    
-rw-r--r--. 1 root root       284 Oct  4 13:25 192.168.117.22.log
-rw-r--r--. 1 root root       184 Oct  4 13:32 192.168.117.27.log
$

answered Oct 04 '16 at 23:21

StandardEyre

303
1
3
17

1

There is an error in this answer. According to the template all the files are put in the folder /var/log and the filenames are network-IPADDRESS.log whereas in your example the files are put in the subfolder /var/log/network and the filenames are just IPADDRESS.log without the network- prefix. – cstoll May 14 '20 at 17:43

How to call template so rsyslog 8 creates one log file per client

1 Answers1