SuSE 11.3 rsyslog: log my router log to /var/log/myrouter

Hi.

Please, ¿how can I setup my SuSE 11.3 rsyslog to get my router log logged to an individual file in /var/log? I’ve set up my router to send the log and opened udp/514 in the firewall: now I’m getting the router lines in /var/log/messages.

Thanks in advance.

I used to do this sort of thing with syslog-ng and haven’t had the need to fiddle with rsyslog yet, but from the man page, it looks it has the flexibility to do the same thing. You have to write a rule that matches the incoming messages from your router and routes them to the log file you want. I’m sure that a search will find you some tutes on writing the rsyslog.conf file.

On 2010-11-08 18:36, FranzPatot wrote:
>
> Hi.
>
> Please, ¿how can I setup my SuSE 11.3 rsyslog to get my router log
> logged to an individual file in /var/log? I’ve set up my router to send
> the log and opened udp/514 in the firewall: now I’m getting the router
> lines in /var/log/messages.

The method I use is this:

if ($source != ‘Telcontar’) then
-/var/log/router;RSYSLOG_SyslogProtocol23Format
if ($source != ‘Telcontar’) then
~

Which is a temporary method, as it would not work if I had several sources.
It is just a filter by source. The paragraph is just above this one:

print most on tty10 and on the xconsole pipe

kern.warning;.err;authpriv.none
/dev/tty10;RSYSLOG_TraditionalFileFormat
kern.warning;
.err;authpriv.none
|/dev/xconsole;RSYSLOG_TraditionalFileFormat
*.emerg *

Ie, it is the first one, filtering is sequential.

Now, I have changed it to:

if ($source == ‘router’) then
-/var/log/router;RSYSLOG_SyslogProtocol23Format
if ($source == ‘router’) then
~

which works because “router” is defined in my local DNS and inverse
resolution works. It did not work in the test setup I was using when I
wrote the first method.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

***Thanks ***for the ideas.

Finaly, it’s working with this filter:

if ($fromhost-ip == ‘my-router-ip-here’) then /var/log/netgear
& ~

:wink:

On 2010-11-09 11:06, FranzPatot wrote:
>
> *-Thanks_-*for the ideas.
>
> Finaly, it’s working with this filter:
>
> if ($fromhost-ip == ‘my-router-ip-here’) then /var/log/netgear
> & ~
>
> :wink:

And you are ginving me another idea! That “& ~” is another line? It is
shorter than the method I knew. Make sense, no double filter.

[testing]

Yep! :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)