I want to build a rsyslog server that works as a relay. But it only logs itself
Os version 7.9, rsyslogversion 8.24
This setup should be so:
Code: Select all
host-a1 -|-> host-a20 via udp-601 -> host-b via upd 514
host-a2 -|
host-a.. -|
host-a9 -|
It has the following state:
host-a1
Code: Select all
host-a1 ~]#/etc/rsyslog.conf
*.* @@host-a20:601
Code: Select all
host-a1# telnet host-a20 601
Trying 192.168.1.20...
^C
Code: Select all
semanage port -l|grep syslog
host-a1 ~]# semanage port -l|grep syslog
syslog_tls_port_t tcp 6514, 10514
syslog_tls_port_t udp 6514, 10514
syslogd_port_t tcp 601, 20514
syslogd_port_t udp 514, 601, 20514
Code: Select all
host-a1 ~]# tcpdump -i ens192 -v port 601
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
09:33:11.468909 IP (tos 0x0, ttl 64, id 56056, offset 0, flags [DF], proto UDP (17), length 105)
host-a1.my-domain.dd.59762 > 192.168.1.20.syslog-conn: UDP, length 77
configuration file /etc/rsyslog.conf
Code: Select all
host-a20 ~]#/etc/rsyslog.conf
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
*.* @@host-b:514
Code: Select all
host-a20 ~]#/etc/rsyslog.d/syslogserver.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 601
# Logfile for each host
$template TemplLogFile,"/var/log/rsyslogserver/%HOSTNAME%/%PROGRAMNAME%.log"
*.* -?TemplLogFile
Code: Select all
host-a20 ~]2 ~]# netstat -tunlp|grep syslog
udp 0 0 0.0.0.0:53803 0.0.0.0:* 39865/rsyslogd
udp 0 0 0.0.0.0:601 0.0.0.0:* 39865/rsyslogd
host-a20 ~]# tcpdump -i ens192 -e -v port 601
Code: Select all
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
09:58:59.980921 00:50:56:89:9e:34 (oui Unknown) > 00:50:56:89:5f:a2 (oui Unknown),
ethertype IPv4 (0x0800), length 134: (tos 0x0, ttl 64, id 35644, offset 0, flags [DF], proto UDP (17), length 120)
192.168.1.1.59762 > host-a20.my-domain.dd.syslog-conn: UDP, length 92
Code: Select all
host-a20 ~]# tree /var/log/rsyslogserver/
/var/log/rsyslogserver/
└── host-a20
├── CROND.log
├── kernel.log
├── polkitd.log
├── postfix.log
├── sssd.log
├── systemd.log
└── systemd-logind.log
1 directory, 7 files
Again the complete configuration files from the logserver:
/etc/rsyslog.conf
Code: Select all
host-a20 ~]# cat /etc/rsyslog.conf |grep -v '^#'|grep -v '^$'
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
*.info @host-b:514
Code: Select all
host-a20 ~]# cat /etc/rsyslog.d/syslogserver.conf |grep -v '^#'|grep -v '^$'
$ModLoad imudp
$UDPServerRun 601
$template TemplLogFile,"/var/log/rsyslogserver/%HOSTNAME%/%PROGRAMNAME%.log"
*.* -?TemplLogFile
Best regards
Joern
Update
I changes the configuration file /etc/rsyslog.d/syslogserver.conf die directive from
Code: Select all
$template TemplLogFile,"/var/log/rsyslogserver/%HOSTNAME%/%PROGRAMNAME%.log"
Code: Select all
$template TemplLogFile,"/var/log/rsyslogserver/%FROMHOST-IP%.log"
But I think is a other problem...
Code: Select all
host-a20 ~]# tree /var/log/rsyslogserver/
/var/log/rsyslogserver/
├── 127.0.0.1.log