rsyslog template stop ignored

Question

I try to configure get my template for remote logging working but the stop statement is ignored and everiting is logged duplicate in the syslog and in my generated file %programname%.log. I want the incoming messages only logged in %programname%.log

ZABBIXis my local machine where the rsyslog deamon runs. And the remote devices are Sierra wireless devices that are logging to ZABBIX. But everything from the Sierras is logged duplicate. This is my configuration in /etc/rsyslog.conf.

$template remote-logs,"/media/jarne/Data/log/%FROMHOST%/%programname%.log", stop
:fromhost,isequal,"ZABBIX" stop
*.* ?remote-logs

I have also tried: *.* ?remote-logs & stop and *.* ?remote-logs;stop, but I only get errors.

Can anyone tell me how the stop keyword works and where that is valid?

I use rsyslog version 8.32.0 on a Ubuntu 18.04.3. Thanks in advance!

I presume you want to stop logs from *remote host* zabbix being logged. `isequal` is case-sensitive, so perhaps `fromhost` is "zabbix", so does not match. You could try `startswith_i` instead, which ignores case, but will also match, for example, "zabbix99". — meuh, Dec 13 '19 at 19:58
No, sorry, I don't formulated my question good enough, `ZABBIX` is my local machine where the rsyslog deamon runs. I have enabled remote logging on `ZABBIX`. And the remote machines are Sierra Wireless devices. The Sierras are logging to Zabbix, but the logs of the Sierras are logged to the `syslog` and `%programme%.log`. How can I prevent that the Sierra's are logging to the `syslog`? — Jarne, Dec 16 '19 at 08:44

score 1 · Accepted Answer · answered Dec 16 '19 at 10:29

1

If your hostname is lowercase zabbix then

:fromhost,isequal,"zabbix" stop
*.* ?remote-logs

should ensure that your remote-logs file does not hold local messages, provided that these lines are at the end of the rsyslog config. However, it would then be too late to stop remote messages going to your local syslog.

It is simpler if you use a newer syntax called RainerScript where you can write things like

if ($fromhost == "zabbix") then {
  *.* /var/log/syslog
} else {
  *.* ?remote-logs
}

answered Dec 16 '19 at 10:29

meuh

1,563
10
11

Yes, I have solved my problem by writing and if statement and appending the `& stop` in the if. Everything seems to work with my if. – Jarne Dec 16 '19 at 13:00
1

This is my if: `if($fromhost != "ZABBIX") then { *.* ?remote-logs & stop }` – Jarne Dec 16 '19 at 13:23

rsyslog template stop ignored

1 Answers1