rsyslog server saves logs from remote also in /var/syslog
11,239
Just before posting this question i changed :
/etc/rsyslog.d/mikrotik.conf
to:
/etc/rsyslog.d/10-mikrotik.conf
It did fix my problem then but i just discovered it now.
Related videos on Youtube
Author by
tubos
Updated on September 18, 2022Comments
-
tubos over 1 year
I have setup my ubuntu server as syslog server to accept all my logs from my router and save them in a seperate mikrotik.log file in the /var/log/ folder.
Everything works but i notice that all messages are also copied in the /var/syslog logfiles.
Is there a way I can stop having these routermessages in my /var/syslog log?
Below are my config files for syslog:
/etc/rsyslog.d/10-mikrotik.conf
$template RouterLog, "/var/log/mikrotik.log" :fromhost-ip, isequal, "192.168.2.1" -?RouterLog & stop
/etc/rsyslog.d/50-default.conf
# Default rules for rsyslog. # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log #user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # # Logging for INN news system. # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:* # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole
/etc/rsyslog.conf
# /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support #$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 # Enable non-kernel facility klog messages $KLogPermitNonKernelFacility on ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf
-
tubos almost 8 yearsas I understand & ~ is deprecated and & stop should be used from v7 and up, so your suggestion does not help.
-
Rahul Shaw about 7 yearsThe config which was creating problem in this is case was
/etc/rsyslog.d/50-default.conf
on my ubuntu 14.04 with rsyslog 7.4.4. This file contains a ine to forward logs to/var/log/syslog
. Adding a 10- in front of themikrotik.conf
in your case solved the problem because now it is opened before50-default.conf
and because you have added a line& stop
in your10-mikrotik.conf
, it drops all the logs matching the defined criteria for further processing.