Redirecting output from syslog to own log

linux debian logging syslogd

8,486

Solution 1

@w0rldart in your question you write

but rsyslog won't redirect the

in another post you write

ubuntu server its sysklogd

what is true then?

for rsyslogd is goes like this

/etc/rsyslog.d/log-all.conf:
:programname, isequal, "ispconfig" /var/log/ispconfig.log
# optionally you can clear this from the original to avoid the line being logged twice
:programname, isequal, "ispconfig" ~

restart rsyslogd

/etc/init.d/rsyslog restart

Solution 2

Couldn't get @toh's answer to work on Ubuntu 13 - turns out the file has to be called something like 25-ispconfig.conf. It processed log-all.conf, or at least showed errors when I deliberately wrote rubbish in it. It started logging to the new file, but it wouldn't stop logging to syslog as well.

Had to do this in 25-dnsmasq.conf:

:programname, contains, "dnsmasq" /var/log/dnsmasq.log
& ~

Couldn't make a comment without having 50 rep, so I'm posting an answer.

Just got to work out how to rotate the files now so I don't get huge monster log files growing in my /var/log

8,486

w0rldart

Updated on September 18, 2022

Comments

w0rldart over 1 year
I'm following this tutorial: Using Fail2ban To Block Wrong ISPConfig Logins, but rsyslog won't redirect the output from a file to another:

/etc/rsyslog.d/12-ispconfig.conf:
```
if $programname == 'ispconfig' then /var/log/ispconfig.log #the file exists 
```
Despite this line, I keep getting the output to syslog:

ispconfig[1117]: Login failed for user asdasd on IP XX.XX.XXX.XX
```
-rw-r--r--  1 syslog adm        0 Sep 12 16:13 ispconfig.log
```
Any ideas how to fix this?
- Ansgar Wiechers over 11 years
  
  This may be stupid questions, but do you have $IncludeConfig /etc/rsyslog.d/*.conf in /etc/rsyslog.conf, and did you restart rsyslog after creating /etc/rsyslog.d/12-ispconfig.conf?
- w0rldart over 11 years
  
  @AnsgarWiechers I didn't had the $IncludeCo.... so I added it at the end of the config file and invoke-rc.d sysklogd restart but still no effect
- Ansgar Wiechers over 11 years
  
  Just to be sure, try /etc/init.d/sysklogd stop && /etc/init.d/sysklogd start instead. Check /var/log/syslog for errors or warnings upon syslogd startup.
- w0rldart over 11 years
  
  On my ubuntu server its sysklogd, and I get no error upon any restart
Jeff Learman almost 4 years

The files in /etc/rsyslog.d get executed in collating order, so you need a prefix to get it to execute before other files that may need the log set first, and after files that may set logging differently for a broader class.