Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [rsyslog]

rsyslog is an enterprise-ready replacement for the syslog daemon on Linux and other UNIX operating systems.

rsyslog is an enterprise-ready replacement for the syslog daemon on Linux and other UNIX operating systems.

It consists of an open source project with commercial addons such as the ability to log Windows events, as well as available support contracts.

681 questions
11
votes
2 answers

how to prevent cron logs from registering in syslog?

I have separated my crontab logging into /var/log/cron.log by uncommenting the below line in /etc/syslog.conf, but it still writes to /var/log/syslog too! cron.* /var/log/cron.log How can i prevent it from writing…
shgnInc
  • 1,804
  • 3
  • 22
  • 29
11
votes
4 answers

Sending logs to Graylog2 server

I have just setup a Graylog2 server and I am looking to send all logs from my main server to the graylog server. I have enabled logging for the main server and am sending logs to my graylog server by adding *.* @logs.example.com:1337 to…
user44923
11
votes
1 answer

Does the ``-'' sign have meaning in rsyslog.conf

Rsyslog is backwards-compatible with Syslog configuration files. The syslog.conf man page has: You may prefix each entry with the minus ``-'' sign to omit syncing the file after every logging. Note that you might lose information if the …
Aleksandr Levchuk
  • 2,465
  • 3
  • 22
  • 41
10
votes
2 answers

Interpreting DHCP related message from rsyslog

In /var/log/messages from an EC2 instance there are a lot of lines such as: ip- ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/MAC_ADDR/local-ipv4s
ChristianF
  • 175
  • 1
  • 1
  • 8
10
votes
2 answers

command KLogPermitNonKernelFacility is currently not permitted

I've setup loggly to for syslog alerts among other things and am getting the following error repeatedly in syslog. command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)?…
cnizzardini
  • 153
  • 1
  • 2
  • 13
10
votes
1 answer

Different permissions per log file when using rsyslog

Is it feasible to define different permissions per log file, using rsyslog? $FileCreateMode applies to all, but I want different permissions for a specific file.
yannisf
  • 577
  • 2
  • 6
  • 15
9
votes
2 answers

Can Journalctl and syslog be used in paralled?

I'm having a hard time understanding how logging works on linux. Since the inclusion of systemd, it seems a bit easier, but I still have a couple of concepts that still can't fully understand. Given a system with journalctl, I want to send some log…
RedNano
  • 333
  • 1
  • 7
  • 10
9
votes
1 answer

Debian 9 server no sshd in auth.log

On one of my servers, Debian 9, there is no output from sshd in /var/log/auth.log. In fact, if I do ag sshd in /var/log, it just doesn't appear. The only thing in auth.log is systemd-logind. In fact, it's suspicous that almost all log messages are…
Halfgaar
  • 8,084
  • 6
  • 45
  • 86
9
votes
2 answers

Rsyslog stops sending data to remote server after log rotation

In my configuration, I have rsyslog who is in charge of following changes of /home/user/my_app/shared/log/unicorn.stderr.log using imfile. The content is sent to another remote logging server using TCP. When the log file rotates, rsyslog stops…
Vincent B.
  • 271
  • 1
  • 2
  • 8
9
votes
2 answers

syslog ip ranges to specific files using `rsyslog`

I have many Cisco / JunOS routers and switches that send logs to my Debian server, which uses rsyslogd. How can I configure rsyslogd to send these router / switch logs to a specific file, based on their source IP address? I do not want to pollute…
Mike Pennington
  • 8,305
  • 9
  • 44
  • 87
9
votes
1 answer

Rsyslog.conf disable mail.info and/or disable postfix reporting

I have log entries like: Apr 8 10:25:31 monitor postfix/smtpd[3131]: connect from localhost[127.0.0.1] Apr 8 10:25:31 monitor postfix/smtpd[3131]: lost connection after CONNECT from localhost[127.0.0.1] Apr 8 10:25:31 monitor postfix/smtpd[3131]:…
user699077
8
votes
2 answers

Nginx log to syslog on TCP port

I need to redirect Nginx access and error logs to a remote syslog server. From http://nginx.org/en/docs/syslog.html I saw that I can do: error_log syslog:server=192.168.1.1; However I need to redirect to a specific TCP (not UDP!) port and I tried…
int 2Eh
  • 193
  • 1
  • 2
  • 6
8
votes
2 answers

How to configure a log aggregator to authenticate data?

Background: Remote log aggregation is regarded as a way to improve security. Generally, this addresses the risk that an attacker who compromises a system can edit or delete logs to frustrate forensic analysis. I've been researching security options…
Tim Otten
  • 183
  • 4
8
votes
3 answers

Rsyslog duplicate logs (rsyslog.conf and rsyslog.d/something.conf)

I've created a custom log (PHP sends log entries to rsyslog) using local0. It uses a new custom file (/var/log/sea.log). The problem is that logs are being sent to /var/log/sea.log, /var/log/messages and /var/log/syslog. How do I prevent that from…
brgsousa
  • 215
  • 1
  • 4
  • 11
8
votes
3 answers

Errors using new rsyslog template syntax on RHEL6

I'm migrating our rsyslog config from an old server to a new one, and thought I'd use the opportunity to tidy up our config. The old config used "legacy" template definitions, and the rsyslog doc on templates recommend replacing such definitions…
Bart B
  • 3,457
  • 6
  • 31
  • 42
1
2
3
45 46