Mailing List Archive

Troubles with rsyslog config
Let me start by saying I was a Linux Admin for several years before my
company decided to pull me out of that into something totally different.
I finally got back into the Linux world, but now my skills are rusty, and
things have progressed beyond my knowledge.

I am trying to setup a Centralized Logging Server over TCP using port
10514. I have roughly 30 clients (CentOS 6 & 7) which are sending files
over to the location that I want them to go to. The issue I'm having is
with /var/log/messages, /var/log/secure, and /var/log/boot (there may be
others but these are my problem children right now. They are writing to
the centralized server, but not to the location I want,they are being
written ONLY to /var/log/messages / secure / boot. The /var drive is only
20G so it gets filled up quick, fast, and in a hurry. I have made a
complete mess of my rsyslog.conf file trying to figure this out. Any
advice would be greatly appreciated.

I have found different documentation, but nothing that directly says, "Do
this here, do this here" so I tried piecing together what I found.

#### MODULES ####
# The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

# Define template before the rules that use them
### Per-Host Templates for Remote Systems ###
*****these two templates were put in from the admin I replaced****
#$template TmplAuthpriv,
"/zdata/logs/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
#$template TmplMsg,
"/zdata/logs/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
**** I found documentation that said this was preferred****
template(name="TmplMsg" type="list") {
constant(value="/zdata/logs/")
property(name="hostname")
constant(value="/")
property(name="programname" SecurePath="replace")
constant(value=".log")
}

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 10514
# Adding this ruleset to process remote messages
$RuleSet remote1
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to
the default rule set
$InputTCPServerBindRuleset remote1 #Define a new input and bind it to the
"remote1" rule set

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually
not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

****As you will see below, I am confused on how to call the template*****
****Also the "STOP" vs &~ is slightly confusing me as well.******
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none -?TmplMsg
#*.info;mail.none;authpriv.none;cron.none
"/zdata/logs/%HOSTNAME%/%PROGRAMNAME%.log"

# The authpriv file has restricted access.
#authpriv.* /var/log/secure
authpriv.* ?TmplMsg
&~
# Log all the mail messages in one place.
#mail.* -/var/log/maillog
mail.* -?TmplMsg
&~
# Log cron stuff
#cron.* /var/log/cron
cron.* -?TmplMsg
&~
# Everybody gets emergency messages
#*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
#uucp,news.crit /var/log/spooler
uucp,news.crit -?TmplMsg

# Save boot messages also to boot.log
#local7.* /var/log/boot.log
local7.* -?TmplMsg
#Save Auth message to auth.log
auth.*,authpriv.* -?TmplMsg

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
# ### end of the forwarding rule ###
#cron.* /var/log/cron.log
#cron.* -?TmplMsg
*.* @@
daemon.notice /var/log/messages


I know it is something minor that I'm missing, but I'm about to pull my
hair out over this. Any guidance or help would be amazing. Thank you in
advance.

vr

Jerry
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.