rsyslog: Log some messages only to specific file

linux debian logging syslog rsyslog
5,144

Your $IncludeConfig /etc/rsyslog.d/*.conf is above the rest of the logs, so all you need to do is stop processing lines in your iptables.conf. The & ~ already says "stop processing", but on some systems I found you need stop instead. And only the stop seems to be in the manual

Share:
5,144

Related videos on Youtube

mivk
Author by

mivk

Updated on September 18, 2022

Comments

  • mivk
    mivk over 1 year

    My firewall logs get written to my custom iptables.log file, but also to kern.log, messages, and syslog. I don't want these messages duplicated in all these logs.

    What is wrong with my config?

    $ cat /etc/rsyslog.d/iptables.conf

# This works, and the messages do get to iptables.log.
:msg, regex,  "^\[ *[0-9]*\.[0-9]*\] IPT" -/var/log/iptables.log
& ~

    In /etc/rsyslog.conf, $IncludeConfig /etc/rsyslog.d/*.conf is called before the lines for the standard log files:

    $ cat /etc/rsyslog.conf

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none      -/var/log/syslog
daemon.*            -/var/log/daemon.log
kern.*              -/var/log/kern.log
lpr.*               -/var/log/lpr.log
mail.*              -/var/log/mail.log
user.*              -/var/log/user.log
mail.info           -/var/log/mail.info
mail.warn           -/var/log/mail.warn
mail.err            /var/log/mail.err
news.crit           /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice         -/var/log/news/news.notice
*.=debug;\
    auth,authpriv.none;\
    news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages
*.emerg             :omusrmsg:*
daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warn   |/dev/xconsole

    This is on a Debian Wheezy (7.9) system, with rsyslog version 5.8.11-3+deb7u2

  • mivk
    mivk over 7 years
    stop didn't work on my system, but removing the space from & ~ did. So apparently, on some systems you need stop and on others you need &~. Very annoying...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to configure rsyslog to log into PostgreSQL without too much latency?
rsyslog: How do I direct messages from all remote machines to one file?
rsyslogd: Any way to get around the number of local facilities?
Log Locally and Remotely with rsyslogd
Accidentally deleted /var/log/syslog
Configuring SELINUX to allow logging to a file that's outside /var/log
When does Linux send a root mail and how to force it for testing purposes?
How to disable syslog messaging to /var/log/syslog
How to append %fromhost-ip% variable to every log line in rsyslog for remote host logs?
Redirecting output from syslog to own log