rsyslog filtering and forwarding

rsyslog
10,158

First off, notice that line $IncludeConfig /etc/rsyslog.d/*.conf. Basically it's saying that all .conf files will be included in that rsyslog.conf file you pasted. So rather than putting your rule at the bottom of that file, I would advise adding another file, say /etc/rsyslog.d/30-testing.conf and putting your rule there. This is more organized, and will be helpful if your syslog config grows in the future.

Other than that though, if it works without the filter, and thus ports/firewall isn't an issue, than it really should work -- your filter line looks fine. You might have already done so, but maybe try:

:msg, contains, "testing"         @@192.168.1.100:514

Also, are you restarting the rsyslog service every time you change the configuration file? You may need to do so. Can you also post what version of rsyslog you're using?

Share:
10,158
Harry
Author by

Harry

Updated on June 28, 2022

Comments

  • Harry
    Harry almost 2 years

    I'm trying to acheive filtering and forwarding using a rsyslog vm.

    When i use 

    *.* @@192.168.1.100:514

    it forwards all logs to that log server.

    What i need to do is filter out logs that contain 'testing' and 'flow' and also prevent logs from localhost from being sent to the log server.

    I have tried many ways of achieving this combination and failed. I just don't receive any logs to the destination once i use filters.

    The remaining full contents of the rsyslog.conf is

    # rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### RULES ####
if $msg contains 'testing' then @@192.168.1.100:514
#*.* @@192.168.1.100:514

    My configuration is not working.

  • Harry
    Harry almost 8 years
    Thank you Drew. I figured out it was not the rsyslog which was not working. The test message that i was sending was not long enough to match it. If you just send "testing" as a message the rule was not working. If you send "I am just testing" it works. I think the message part has some length condition after which it is matching.. I had to enable debug in the config file to figure this out. It works for me now and thank you so much for responding to my question
  • drewyupdrew
    drewyupdrew almost 8 years
    @Harry That's actually really interesting, it works for me just fine (but I'm only logging to a local file). I have in my rsyslog config file: if $msg contains 'testing' then /var/log/mylog.log and after running the command logger "testing", then in mylog.log I see the logline: May 9 14:56:25 myServerHostname root: testing. It gets logged fine, so it's strange it doesn't work for you. I'm on Ubuntu 12.04 (rsyslog version: 5.8.6), if that makes a difference.
  • Harry
    Harry almost 8 years
    I'm using Centos 7.2, besides im not logging to a file, I'm logging to another syslog server which is essentially just a daemon in my laptop. It just appends a text file here. Atleast I learned something new with rsyslog :)
  • Sachin Kumar
    Sachin Kumar almost 4 years
    @Harry, I have a local file in server machine (this is combination of all client), now I want to filter the data of this file, filter criteria might be severity, priority and any hard code text. I am newbie in this, how to fix this?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Haproxy not logging with rsyslog
Increase precision of apache log to include milliseconds
How to start up rsyslog automatically?
How can I configure logrotate without having `/etc/logrotate.d/rsyslog`?
rsyslogd using 197% CPU for the past few days
rsyslog filter by tag
Rsyslog filter for logging router events (syslog server)
rsyslog template date/time format with seconds
rsyslog not rotating at fixed file size
How to set size for system log