rsyslog logging based on sending host behind NAT

Asked Dec 05 '19 at 13:05

Active Dec 05 '19 at 13:05

Viewed 210 times

I have multiple Juniper devices behind one NAT'd IP sending their logs to a single host. On the wire the message looks like this:

Dec  4 07:38:31 tor-29-1: dot1xd[1585]: task_connect: task PNACAUTH./var/run/authd_control addr /var/run/authd_control: Connection refused

I have tried:

if $programname == 'tor-29-1' then /var/log/juniper/tor-29-1.log
& ~

And that wont work. I also tried:

if $msg contains 'tor-29-1' then /var/log/juniper/tor-29-1.log
& ~

and that did not work as well. The only think that did work was:

if $programname == 'tor291' then /var/log/juniper/tor-29-1.log
& ~

In order to get the above to work I had to set in the juniper so the logs would have a prefix of tor291. On the wire the message comes as:

Dec  4 07:38:31 tor-29-1 tor291: dot1xd[1585]: task_connect: task PNACAUTH./var/run/authd_control addr /var/run/authd_control: Connection refused

Is there any way around it (having the hostname twice in the logs is confusing and that's what I am trying to get rid of).

asked Dec 05 '19 at 13:05

Dovid Bender

You're matching `$programname` with the hostname which of course won't work. Try matching `$hostname`. – wurtel Dec 05 '19 at 13:56
I tried $hostname as sell and that didn't work. – Dovid Bender Dec 05 '19 at 14:20

0 Answers0