Rsyslog filter for logging router events (syslog server)
Solution 1
I figured it out! These links helped:
http://www.rsyslog.com/tag/udp/
http://www.rsyslog.com/doc/multi_ruleset.html
Here's what I did:
Opened up /etc/rsyslog.d/50-default.conf
and at the top of the file, before other all of the default filters, I added:
# process remote messages
# define new ruleset and add rules to it:
$RuleSet remote
*.* /var/log/linksys.log
# only messages not from 192.168.2.1 make it past this point
# bind ruleset to UDP listener
$InputUDPServerBindRuleset remote
# and activate it:
$UDPServerRun 514
# switch back to the default ruleset:
$RuleSet RSYSLOG_DefaultRuleset
Solution 2
/etc/rsyslog.conf
is not the right file to be editing. You really want to be setting up a separate .conf
file:
$ sudo nano /etc/rsyslog.d/20-router.conf
Then add the required configuration:
:fromhost-ip, isequal, "192.168.2.1" /var/log/linksys.log
& ~
This shouldn't confuse any other log entries. Just tried this myself and it works fine.
Thanks to http://nickhumphreyit.blogspot.co.uk/2012/09/how-to-setup-syslog-server-on-ubuntu.html for giving me the answer, after giving up on the documentation.
You may want to add a logrotate
file to /etc/logrotate.d/linksys
too:
/var/log/linksys.log {
daily
rotate 7
delaycompress
compress
notifempty
missingok
}
Related videos on Youtube
jpetersen
Updated on September 18, 2022Comments
-
jpetersen over 1 year
I am trying to configure rsyslog (Ubuntu 12.04 Server) to log events from a router. I found this old ubuntu forum post which got me most of the way there.
So far I am able to get the events logged from the router. However since I don't them logged in
/var/log/syslog
I am trying to set up a working filter in/etc/rsyslog.conf
to put the logged events in/var/log/linksys.log
. This is where I am having trouble.-
First I tried filtering by the router ip address like this:
:fromhost-ip, isequal, "192.168.2.1" /var/log/linksys.log & ~
This successfully redirects the logs as I wanted, the only problem is now I am not getting any SSHD logs in auth.log. Needless to say this is not acceptable.
-
Next I tried filtering by the router name which appears in every event log:
:msg,contains, "RV042" /var/log/linksys.log & ~
Although this neither logs or blocks anything.
So I am stumped. I have no idea why SSHD is getting filtered with the
:fromhost-ip
filter. SSHD is local on the machine with rsyslog (192.168.2.2). I am thoroughly frustrated by this, any suggestions are much appreciated. -