Mailing List Archive

Central loghost with rsyslog
Hi @ll,

i used Syslog-ng on Debian as central loghost since ~10 years.

Now i'm trying to install a new central loghost with rsyslog on Debian 9
(Stretch), because rsyslog is the default syslog daemon in Debian and i
wanted to keep things simple.

My Goal is to log incoming logs to
/var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log an do some logrotate. Remote
logs should not
be logged in the normal /var/log/xyz.log files.

It would be nice if i could accomplish this, by not touching the
original /etc/rsyslog.conf and using an individual config file in
/etc/rsyslog.d/ (loghost.conf).

I searched a lot on the net and there are several Howtos online, but
most of them are 90% identical. So i used this one:
https://www.howtoforge.com/tutorial/rsyslog-centralized-log-server-in-debian-9/

I adapted the settings to my needs. This is my loghost.conf:

#
# Config for centralized loghost on this machine
#

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Restrict who can send us logs
$AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, *.yourdomain.com
$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, *.yourdomain.com

# Template to sort incoming logs to the right place
$template RemoteLogs,"/var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~

<---cut--->

OK, logs are being redirected to the /var/log/HOSTS/... folders.
But there are some Problems.
First problem is: All logs are redirected, not only the remote ones.
Maybe that happens because of the second Problem: There are
warnings/errors in liblogging-stdlog.log:

Mar 5 12:37:01 my-srv liblogging-stdlog: warning: ~ action is
deprecated, consider using the 'stop' statement instead [v8.24.0 try http:/
/www.rsyslog.com/e/2307 ]
Mar 5 12:37:01 my-srv liblogging-stdlog: error during config
processing: STOP is followed by unreachable statements! [v8.24.0 try http:/
/www.rsyslog.com/e/2207 ]

I played a little bit with the options and tried some other templates
but couldn't get around this problem.
Also the rsyslog FAQ and config examples didn't help me out.

Maybe i dont see the forest because of the trees...

I would be very thankfull if one could give me some hints.

Thanks and sorry for my bad english. I hope you get what i mean.

Greetings,

Marcel
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Central loghost with rsyslog [ In reply to ]
The key concept is to use rulesets.

doc: https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html

updated conf:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514" ruleset="remote")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514" ruleset="remote")

# Restrict who can send us logs NOTE: FIREWALL IS STRONGLY PREFFERRED!
$AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, *.yourdomain.com
$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, *.yourdomain.com

# Template to sort incoming logs to the right place
$template RemoteLogs,"/var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log"
ruleset(name="remote") {
action(type="omfile" dynafile="RemoteLogs") # just modernized statment
}

This will send all messages to the ruleset "remote" and all others to
the default ruleset (the one not explicitly specified).
I haven't checked for typos, so you may need to tweak the example

The warnings are actually from rsyslog. The version debian distributes
seems to have a bug in this regard. The messages mean what they say:
"~" is a depricated name for "stop". And as the "stop" is
unconditional, no other statements behind it will ever see messages.
And there are some.

HTH
Rainer

El mar., 5 mar. 2019 a las 19:04, Marcel Weiler (<priority@marwe.net>) escribió:
>
> Hi @ll,
>
> i used Syslog-ng on Debian as central loghost since ~10 years.
>
> Now i'm trying to install a new central loghost with rsyslog on Debian 9
> (Stretch), because rsyslog is the default syslog daemon in Debian and i
> wanted to keep things simple.
>
> My Goal is to log incoming logs to
> /var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log an do some logrotate. Remote
> logs should not
> be logged in the normal /var/log/xyz.log files.
>
> It would be nice if i could accomplish this, by not touching the
> original /etc/rsyslog.conf and using an individual config file in
> /etc/rsyslog.d/ (loghost.conf).
>
> I searched a lot on the net and there are several Howtos online, but
> most of them are 90% identical. So i used this one:
> https://www.howtoforge.com/tutorial/rsyslog-centralized-log-server-in-debian-9/
>
> I adapted the settings to my needs. This is my loghost.conf:
>
> #
> # Config for centralized loghost on this machine
> #
>
> # provides UDP syslog reception
> module(load="imudp")
> input(type="imudp" port="514")
>
> # provides TCP syslog reception
> module(load="imtcp")
> input(type="imtcp" port="514")
>
> # Restrict who can send us logs
> $AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, *.yourdomain.com
> $AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, *.yourdomain.com
>
> # Template to sort incoming logs to the right place
> $template RemoteLogs,"/var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log"
> *.* ?RemoteLogs
> & ~
>
> <---cut--->
>
> OK, logs are being redirected to the /var/log/HOSTS/... folders.
> But there are some Problems.
> First problem is: All logs are redirected, not only the remote ones.
> Maybe that happens because of the second Problem: There are
> warnings/errors in liblogging-stdlog.log:
>
> Mar 5 12:37:01 my-srv liblogging-stdlog: warning: ~ action is
> deprecated, consider using the 'stop' statement instead [v8.24.0 try http:/
> /www.rsyslog.com/e/2307 ]
> Mar 5 12:37:01 my-srv liblogging-stdlog: error during config
> processing: STOP is followed by unreachable statements! [v8.24.0 try http:/
> /www.rsyslog.com/e/2207 ]
>
> I played a little bit with the options and tried some other templates
> but couldn't get around this problem.
> Also the rsyslog FAQ and config examples didn't help me out.
>
> Maybe i dont see the forest because of the trees...
>
> I would be very thankfull if one could give me some hints.
>
> Thanks and sorry for my bad english. I hope you get what i mean.
>
> Greetings,
>
> Marcel
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.