Questions tagged [rsyslog]
rsyslog is an enterprise-ready replacement for the syslog daemon on Linux and other UNIX operating systems.
682
questions
0
votes
1
answer
38
views
Failed to make rsyslog filter to particular file
I configure the rsyslog server with /var/rsyslog/foo.conf to accept the udp messages
$ModLoad imudp
$UDPServerRun 514
And try to filter the log contents start with "foo" to /var/log/foo.log....
- 101
-2
votes
2
answers
203
views
Where is some os logs in Debian 12
It seems that some of the system log files (/var/log/syslog, /var/log/auth.log, /var/log/kern.log, ...) have been removed in the latest version of Debian, Debian Bookworm. What should be done to ...
- 137
0
votes
1
answer
47
views
Ubuntu system logs written to ".log.1" instead of ".log" after rotation
I have an EC2 instance on AWS with Ubuntu 16.04.4 LTS where system logs are written into ".log.1" instead of ".log" (e.g. /var/log/auth.log.1 instead of /var/log/auth.log).
This is ...
0
votes
1
answer
46
views
How can I monitor journald to invoke a program on a condition?
Before I reinvent the wheel and start scripting, is there a simple way (or existing tool) that can watch the systemd journal and take actions when certain log entries or conditions are detected?
...
- 117
0
votes
1
answer
56
views
logrotate wont compress and delete syslog templated files
I am facing a very weird issue with logrotate and syslog files on my central syslog server. What is happening is that files generated by syslog templates are not compressed nor deleted when logrotate ...
- 1,774
0
votes
0
answers
39
views
Enable $RepeatedMsgReduction only for specific log file
If this were the script for routing messages to log files in rsyslog.conf, is it possible to activate RepeatedMsgReduction only for app_log?
if ($syslogfacility-text == "auth") then {
...
- 1
1
vote
0
answers
37
views
Configuration Issues for Log Collection and Sending in rSyslog Linux
I am trying to send logs to an NLB endpoint from Syslog on a Linux server using local0, local1, etc. variables and pointing to etl folders that I have on the same server. I am having trouble with the ...
0
votes
0
answers
37
views
Rsyslog output to Kafka Timing Out
I'm having trouble setting up Rsyslog output to Kafka using the omkafka module. I have a robust Kafka cluster running in a production environment. In the current workflow, Rsyslog receives events on ...
0
votes
1
answer
77
views
Rysyslog is not using the short hostname, and is instead using the FQDN
I have an ryslog server (V8.2112.0) running on Ubuntu (22.04.2), with very basic setup to receive logs from Cisco switches. The server and all the switches are in the same domain.
I'm trying to use ...
0
votes
1
answer
88
views
Rsyslog not writing any logs from Cisco network devices - all other remote syslog works fine
tcpdump confirms valid syslog is coming in from multiple remote systems - servers and Cisco network equipment.
OS is Linux RHEL 8.8
The servers all come in fine and write to disk, and are shown as ...
1
vote
0
answers
78
views
How to set proctitle to ascii in auditd?
I configured auditd to send the logs to SIEM through rsyslog.
But when I get those logs the proctitle is in hex.
Ex.:
<134>Aug 25 17:08:44 vmauditd tag_audit_log: node=vmauditd type=PROCTITLE ...
- 111
0
votes
0
answers
542
views
Issue Getting Rsyslog TLS Configuration Working
Overview
I have a server that receives Syslog data from external clients, and I do not have administrative access to these clients. The goal is to move the existing configuration to data in transit ...
- 1
0
votes
0
answers
50
views
Split logging on rsyslogd
My goal is to send all logs to one source remote and still log local but then send all the AuditD logs to its own source on port 20002. But for some reason, my auditd logs are still ending up with my ...
- 3,941
0
votes
0
answers
51
views
Forwarding log of a specific cPanel user from rsyslog.conf to an IP address using TCP
Server is on CloudLinux, cPanel, LiteSpeed, imunify and CSF as firewall. i have multiple domains hosted on my server. I only want to forward one user (all) logs to an specific IP address.
Using this ...
0
votes
1
answer
56
views
postfix logging no the known defaults
Actually i overtook the administration of a mail cluster which uses postfix. And i was really confused when i saw the different loggings:
one of the servers logs to a custom logfile, instead there is ...
- 11
0
votes
0
answers
116
views
Add mac address in rsyslog template
I am trying to add system/device mac address in syslog. No solution is working for me. Following command gives me mac address, just wanted to use in rsyslog template.
mac_addr=$(ifconfig en0 | awk '/...
0
votes
1
answer
43
views
Write path for logging is problematic
My config for my template is as follows.
template (name="macfilter" type="string" string="/home/pi/nas/f/remotelogs/%programname:R,ERE,0,FIELD:(([0-9A-fa-f][0-9A-fa-f]: ?[0-9A-...
1
vote
1
answer
126
views
Rsyslog prepend text to messages in certain facility
OS: Debian 11
Rsyslog version 8.2102
Squid version 4.13
I am attempted to remote log squid logs without going through a file.
I am using the following logging line for the store log in squid.conf:
...
user609425
0
votes
1
answer
151
views
For rsyslog - to what facility do ssh and scp belong to?
I am trying to send all the ssh and scp error messages to a pipe and to configure this in the rsyslog.conf I need to know the facility for these services. Does anybody know this or a resource where ...
- 3
0
votes
1
answer
27
views
Combine thousands of logger instances
We have Apache 2.4 setup with over 1000 vhosts, and multiple instances of logger in each :
CustomLog "|/usr/bin/logger -t apache-access -p local6.notice -n
x.x.x.x" access_log
Restarting ...
- 1,906
0
votes
1
answer
74
views
rSyslog stopped sending only SOME data
I have configured a remote logging from one of my servers to the central log server via rsyslog TCP/SSL
Everything worked fine until yesterday where most of the files just stop being transmitted while ...
- 109
0
votes
0
answers
83
views
Rsyslog high performance TLS logging
We have been using imptcp module for remote logging high amount of
logs (over 1M log lines per minute) received from >40 servers. Now we
would like to switch to TLS, but it looks like imptcp does ...
- 143
0
votes
0
answers
151
views
How do I send log data through a proxy using rsyslog
I have a few hosts in a private subnet. All connections, incoming and outgoing, for this private subnet must go through a proxy. I have rsyslog running on the hosts in the private subnet. I must send ...
- 101
0
votes
0
answers
79
views
How does rsyslog accept remote logs to be written to the specified file path?
I want to write remote logs to the /data directory
# cat /etc/rsyslog.d/default.conf
#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%...
0
votes
1
answer
777
views
Postfix logging to syslog even though it's excluded
Ubuntu 22.04 and postfix 3.6.4
Postfix config is set to use syslog_facility=mail, and I have modified /etc/rsyslog.d/50-default.conf to the following
*.*;mail,auth,authpriv.none -/var/log/syslog
...
- 156
0
votes
1
answer
1k
views
In Rsyslog, how do you replace regex matches with custom text?
I'm trying to capture text via regular expression and replace the text with a custom string.
My current code successfully captures IP addresses, but I don't know how to replace the IP address with ...
- 3
0
votes
0
answers
218
views
nextjs/pino transport to aws linux2 syslog
I'm building my first NextJS project, and am using the recommended Pino for logging. This has worked great in development, but now I'm trying to figure out how to deploy it to production.
I think the ...
- 419
2
votes
0
answers
582
views
rsyslog is not forwarding logs to elasticsearch
I'm trying to configure rsyslog to send logs to logstash and then forward them to elasticsearch.
I have create a config file /etc/rsyslog.d/60-output.conf with the following content:
*.* @localhost:...
- 141
1
vote
2
answers
2k
views
rsyslog won't start - pid already exist
I was trying to configure rsyslog to forward logs from a specific file to a syslogserver and I ended up purging the whole configuration (the rsyslog service was stuck - wouldn't start) ..
so I purged ...
- 109
0
votes
0
answers
140
views
Proper rsyslog configuration
I have Debian 8 (Jessie) and need to write messages to log. Suppose, I have a program which sends to syslog:
#include <syslog.h>
int main()
{
openlog("progname", LOG_CONS, LOG_USER);...
- 1
1
vote
0
answers
562
views
SFTP logs to different files
I'm configuring an SFTP server and having some issues with logs ending up in different places, depending on a group membership. This is on RHEL 8 but the same issue exists on an old RHEL 6 machine. ...
- 136
0
votes
1
answer
199
views
define custom fields for systemd-journald
The doc states, it may be possible to define new fields by applications.
What does it mean? Can one define arbitrary fields or are only those possible listed in the doc USER JOURNAL FIELDS?
If ...
- 146
3
votes
1
answer
718
views
SELinux is preventing in:imjournal from unlink accesses on the file imjournal.state
I have a problem on Fedora 36 with rsyslog, selinux and /var/log/messages components.
As you can see:
AVC avc: denied { unlink } for pid=XXX comm="in:imjournal" name="imjournal.state&...
- 31
0
votes
0
answers
953
views
php-fpm access log to rsyslog
I am trying to find a solution for getting logs from php72 php-fpm yii2 application behind nginx on several numbers of servers:
at now application writes its logs to files on server disk, yii performs ...
1
vote
0
answers
123
views
Syslog server redundancy
Gentlemen ,
There’s a requirement for syslog server redundancy.
Most of the syslog clients are network devices and appliances on which you can configure only one syslog server as destination.
I been ...
- 11
1
vote
0
answers
780
views
Rsyslog sends logs by batch to destination after restart
I have a fleet of ~70 servers sending logs to Papertrail using Rsyslog.
On September 20th Papertrail encountered an issue and most of our servers logged theses messages:
Sep 20 11:42:30 server-name ...
- 111
0
votes
1
answer
17
views
syslog access beginning of log line
I would like to filter the content of my logs generated by Syslog, I'm applying a filter based on $msg but it is not containing the beggining of the line:
2022-09-29T16:39:39Z SYS_SERVER_2 - - - - - A ...
- 103
0
votes
1
answer
1k
views
Combining multiple Property-Based Filters for Rsyslog
I was trying to set up a specific Rsyslog configuration file to catch all incoming kernel messages of a few types. For example, I want to dump all logs containing "example message 1" and &...
- 1
0
votes
1
answer
2k
views
rsyslog: action suspended, next retry is
I'm trying to configure rsyslog to receive logs sent from other devices on port 3100 (my manager chose that port and I will get him to change it to 514 later), and save (append) those logs in local ...
0
votes
0
answers
361
views
Redirect systemd service logs to /dev/kmsg for all running services
Currently systemd service files will redirect the logs to journal buffer by default. But I need to get all the userspace services logs as part of /dev/kmsg buffer.
I was able to add StandardOutput=...
- 1
0
votes
1
answer
1k
views
rsyslog forward with ;RSYSLOG_SyslogProtocol23Format
I am trying to forward rsyslog with ;RSYSLOG_SyslogProtocol23Format
It works fine for an all log forward: *.* @@syslogserver.com:6789;RSYSLOG_SyslogProtocol23Format
But does anyone know how it can be ...
3
votes
2
answers
410
views
Sending remaining network traffic with RSYSLOG to specific file
I'm trying to concentrate logs from multiple equipments from multiple clients on my RSYSLOG server.
My server runs on Debian 11 with RSYSLOG v8.2102
The configuration is quite simple at the moment: I'...
- 53
0
votes
1
answer
445
views
Rsyslog server - conditionally forward logs
The idea is to receive the logs on the Rsyslog server and then send them to a specific Kafka server depending on the log contents.
For example,
Logs are being received on a single port, 514
Forwarding ...
- 15
0
votes
1
answer
150
views
Reliable rsyslog logging to a remote server
Is there any way to configure rsyslog to send logs to a remote instance so that it does not loose several minutes of messages? I am finding this difficult in following scenario:
Yank the ethernet ...
- 101
0
votes
1
answer
628
views
rsyslog ruleset for encrypted logging
I've setup managed to setup rsyslog to accept TLS traffic from a clients server. When I configured the certificate and the port originally, it all worked fine. The problem is it is dumping the logs ...
1
vote
1
answer
616
views
Rsyslog template with RELP
I am trying to send logs to remote system with this configuration on client:
module(load="imjournal" StateFile="imjournal.state")
module(load="omrelp")
template(name=&...
- 23
1
vote
1
answer
99
views
Configuring rsyslog to route messages to different log files based on content
Can rsyslog be configured to route log messages to different log files/locations based on the content of the log message? If so, how and could I see a simple example?
- 143
0
votes
1
answer
203
views
Sending rsyslog messages to remote file system
I have an Ubuntu server that will be running rsyslog and many "client" devices and applications sending logs to it (via various syslog clients).
I know that rsyslog logs everything to /var/...
- 143
2
votes
1
answer
60
views
How to skip a message matching a certain pattern if it repeats more often than a limit?
Is it possible to stop a matching message if it appears more frequently than a given limit? I'd like to achieve something like this:
if $programname == "foo" and
$msg contains "bar&...
- 613
0
votes
1
answer
469
views
Remote logs from rsyslog appear in general logfiles
I've set up rsyslog (according to guides like this) to ingest remote logs via the following general configuration:
module(load="imudp")
input(type="imudp" port="514")
...
- 317