2

I'm using rsyslog 8.22 to receive syslog data sent from client hosts. My goal is to have one log file created per client.

I've found a lot of data on older versions of rsyslog, but the change in configuration syntax has thrown me.

This configuration proves rsyslog is working, but aggregates all entries into one file:

if $fromhost-ip startswith '192.168.117.' then {
    action(type="omfile" file="/var/log/network.log")
    stop
}

(The rest of my /etc/rsyslog.conf is default.)

The following is not working. (No file is created):

template (name="DynFile" type="string" string="/var/log/network-%fromhost-ip%.log")
if $fromhost-ip startswith '192.168.117.' then {
    action(type="omfile" file="DynFile")
    stop
}

What am I missing?

StandardEyre
  • 303
  • 1
  • 3
  • 17

1 Answers1

4

The fix is to specify dynaFile in the action argument (not file).

template (name="DynFile" type="string" string="/var/log/network-%fromhost-ip%.log")
if $fromhost-ip startswith '192.168.117.' then {
    action(type="omfile" dynaFile="DynFile")
    stop
}

This creates the expected results:

$ ls -l /var/log/network/    
-rw-r--r--. 1 root root       286 Oct  4 13:21 192.168.117.21.log    
-rw-r--r--. 1 root root       284 Oct  4 13:25 192.168.117.22.log
-rw-r--r--. 1 root root       184 Oct  4 13:32 192.168.117.27.log
$
StandardEyre
  • 303
  • 1
  • 3
  • 17
  • 1
    There is an error in this answer. According to the template all the files are put in the folder /var/log and the filenames are network-IPADDRESS.log whereas in your example the files are put in the subfolder /var/log/network and the filenames are just IPADDRESS.log without the network- prefix. – cstoll May 14 '20 at 17:43