Rsyslog filter for logging router events (syslog server)

12.04 server router rsyslog

21,856

Solution 1

I figured it out! These links helped:

http://www.rsyslog.com/tag/udp/

http://www.rsyslog.com/doc/multi_ruleset.html

Here's what I did:

Opened up /etc/rsyslog.d/50-default.conf and at the top of the file, before other all of the default filters, I added:

# process remote messages
# define new ruleset and add rules to it:
$RuleSet remote
*.*           /var/log/linksys.log
# only messages not from 192.168.2.1 make it past this point

# bind ruleset to UDP listener
$InputUDPServerBindRuleset remote
# and activate it:
$UDPServerRun 514

# switch back to the default ruleset:
$RuleSet RSYSLOG_DefaultRuleset

Solution 2

/etc/rsyslog.conf is not the right file to be editing. You really want to be setting up a separate .conf file:

$ sudo nano /etc/rsyslog.d/20-router.conf

Then add the required configuration:

:fromhost-ip, isequal, "192.168.2.1" /var/log/linksys.log
& ~

This shouldn't confuse any other log entries. Just tried this myself and it works fine.

Thanks to http://nickhumphreyit.blogspot.co.uk/2012/09/how-to-setup-syslog-server-on-ubuntu.html for giving me the answer, after giving up on the documentation.

You may want to add a logrotate file to /etc/logrotate.d/linksys too:

/var/log/linksys.log {
       daily
       rotate 7
       delaycompress
       compress
       notifempty
       missingok
}

21,856

jpetersen

Updated on September 18, 2022

Comments

jpetersen over 1 year
I am trying to configure rsyslog (Ubuntu 12.04 Server) to log events from a router. I found this old ubuntu forum post which got me most of the way there.

So far I am able to get the events logged from the router. However since I don't them logged in /var/log/syslog I am trying to set up a working filter in /etc/rsyslog.conf to put the logged events in /var/log/linksys.log. This is where I am having trouble.
- First I tried filtering by the router ip address like this:
```
:fromhost-ip, isequal, "192.168.2.1" /var/log/linksys.log
& ~
```
  This successfully redirects the logs as I wanted, the only problem is now I am not getting any SSHD logs in auth.log. Needless to say this is not acceptable.
- Next I tried filtering by the router name which appears in every event log:
```
:msg,contains, "RV042" /var/log/linksys.log
& ~
```
  Although this neither logs or blocks anything.
So I am stumped. I have no idea why SSHD is getting filtered with the :fromhost-ip filter. SSHD is local on the machine with rsyslog (192.168.2.2). I am thoroughly frustrated by this, any suggestions are much appreciated.