I've another question about the conditional forwarding of logs via rsyslog.conf, i have below configuration.
# cat /etc/rsyslog.conf
##########################################################################################
# rsyslog configuration file For TCC & TPC
##########################################################################################
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp # Provides UDP syslog reception
$UDPServerRun 514 # Provides UDP syslog reception
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$template tcc-logs, "/data/SYSTEMS/%HOSTNAME%/messages.log"
$template noi-logs, "/data/noiter/%HOSTNAME%/messages.log"
#####################################################################
# Custom conditional Forwarding of messages to the syslog Directory #
###################################################################
if $fromhost startswith "sj-" then -?tcc-logs
& stop
if $fromhost startswith "noi-" then -?noi-logs
& stop
##################################################
#### GLOBAL DIRECTIVES ####
#################################################
$WorkDirectory /var/lib/rsyslog # Where to place auxiliary files
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Use default timestamp format
$IncludeConfig /etc/rsyslog.d/*.conf # Include all config files in /etc/rsyslog.d/
$OmitLocalLogging on # local messages are retrieved through imjournal now.
$IMJournalStateFile imjournal.state # File to store the position in the journal
#### RULES ############################################
# Log anything (except mail) of level info or higher.#
# Don't log private authentication messages! #
####################################################
*.info;mail.none;authpriv.none;cron.none ?tcc-logs
authpriv.* ?tcc-logs # The authpriv file has restricted access.
In the above configuration, i'm trying to ask rsyslog for conditional forwarding of logs with below points:
If any upcoming host to rsyslog which startswith "sj" then it should go to "/data/SYSTEMS/ Directory " which will create another Directory with hostname and then will create a messages.log on this So, the complete file path will be like /data/SYSTEMS/sj-hosts_1/messages.log .
Similarly, If any upcoming host to rsyslog which startswith noi- then it should go to /data/noiter/ Directory " which will create another Directory with hostname and then will create a messages.log on this So, the complete file path will be like /data/noiter/noi-hosts_1/messages.log .
The above two points meets the results However the problem is the messages.log in the above case creating the date and time into different format than the default, example is below:
2019-01-25T23:20:01-08:00 noi-hosts_1 CROND[8541]: (root) CMD (/usr/lib64/sa/sa1 1 1)
2019-01-25T23:20:01-08:00 noi-hosts_1 CROND[8542]: (root) CMD (LANG=C LC_ALL=C
While the default & required format should be as follows:
Jan 25 20:23:58 noi-hosts_1 CROND[8541]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 25 20:23:58 noi-hosts_1 CROND[8542]: (root) CMD (LANG=C LC_ALL=C
When i don't use conditional forwarding then i used to get the correct /default one as shown above.
Your conditional rules if $fromhost ... are near the start of the configuration, and use the default logging style, which for rsyslog is now RSYSLOG_FileFormat. You change the default to the wanted RSYSLOG_TraditionalFileFormat later on, but this only applies to any following rules.
So simply move your conditional rules further down in the file, to just after the comment block #### RULES ...
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments