how to configure rsyslog to send file from specific program to specific location on remote server

server rsyslog

15,839

You need to first configure your rsyslog server to be able to receive messages from the clients

Edit your server's rsyslog configuration file and create or make sure that the following lines exist:

$ModLoad imuxsock 
$ModLoad imklog
# provides UDP syslog reception. For TCP, load imtcp. For TCP use InputServerRun 514
$ModLoad imudp
# This will save the log file is a separate directory for each client's IP
$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
#Create a rule for each application you need to filter, ie: httpd messages
$template HTTPD,"/var/log/%fromhost-ip%/httpd.log"

#Create a separate log rule for the specific application
if $programname == 'httpd' then ?HTTPD
&~

#Dump all remaining messages that do not match the filters created into one file
*.* ?FILENAME

After that you need to go to each client and add the following lines to the rsyslog.conf file:

$ModLoad imuxsock
$ModLoad imklog
# Provides UDP forwarding. For TCP use @@server_ip
*.* @server_ip:514

And you should be ready. Everything that the clients send to to server will be filtered with the rules you created and the messages will be saved to the files on each client's IP address folder according to the templates you made on the server side.

15,839

chadwicke619

Updated on September 18, 2022

Comments

chadwicke619 over 1 year
I want to configure rsyslog on a centralised server so that all the logs of clients are stored at one place now the problem I'm having is I dont know how to implement rsyslog so that it creates logs based on programmes on client machines i.e. like 'httpd' etc. and save them in different files i.e. '/var/log/httpd.log' and while it sends the log to the remote server the files should be saved like '/var/log/ip-address of host/httpd.log' I have these two problems
1. Logs should be created on programme basis
2. while logs are transmitted to remote server they should be stored on program basis with different directories for different hosts.
I hope I made my question clear. Please help.

For creating log based on programme I believe I will have to use something like on client side
```
 if $programname == 'httpd' and $syslogseverity <= '6' then /var/log/httpd.log

 if $programname == 'httpd' and $syslogseverity <= '6' then ~
```
I also found this question but it doesn't completely solves my problem

how to configure rsyslog
- Bruno Pereira almost 11 years
  
  You got it wrong, the rules you show are to be made on the server side, not on the client. Basically you need to make sure that the clients are sending the messages to the server and then let the server sort them out via rules (to filter the type of message) and templates (to make the server save the messages on different log files).
chadwicke619 almost 11 years

Ok. Thanks for the help now I got a clear picture. Let me try this. :)
Bruno Pereira almost 11 years

I might need to tweak it a bit since you did not specify a version of rsyslog or a Ubuntu release, but the principle is the same: client sends all to server, server filters and saves logs.