6

I have a syslog server (running rsyslog on RHEL 7.4) that consolidates all the syslogs from my network devices. It's listening on port TCP/514.

I want to redirect the logs of each device to a different file in a dedicated directory (based on their IP address), instead of getting them all in /var/log/messages. How can I do that?

eden881
  • 215
  • 1
  • 2
  • 10
  • I know this isn't quite the direction you're looking for, but what about using something like Graylog or Logstash to provide better cataloging of log files and easier search/filter/rules/etc.? – Andrew Mar 03 '18 at 16:18
  • I actually want this to consolidate logs to be indexed by Splunk. – eden881 Mar 03 '18 at 20:20
  • I have used Splunk in a long time, by I’m pretty sure it can be configured to accept syslog events directly. You would then point all of the remote servers to this Splunk index directly. It sorts by host name so you easily keep track of logs from each system. – Andrew Mar 03 '18 at 23:43
  • I've thought of doing this, but then I would lose potentially valuable data when I take Splunk down for maintenance. I actually have consulted Splunk representative about this topic, and he told me that this strategy is considered as a best practice... – eden881 Mar 09 '18 at 15:39

1 Answers1

10

It seems it is documented on rsyslog web site here : https://www.rsyslog.com/storing-and-forwarding-remote-messages

To summarize :

You should define a template for log files, something like e.g :

# log every host in its own directory
$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

Then apply this template to messages coming from remote hosts :

# Remote Logging
$RuleSet remote
*.* ?RemoteHost
krisFR
  • 13,280
  • 4
  • 36
  • 42