0

I'm trying to configure a remote log host for my servers (all CentOS 8). I added this on my central server

if $fromhost-ip == '123.123.123.123' then /var/log/{{hostname}}.log

Also I changed my client config to

*.* @@321.321.321.321:514/var/log/{{hostname}}.log

But when I try to run:

sudo logger "test"

It both logs on /var/log/hostname.log and /var/log/messages on my central remote server

It also floods the custom log file with

pam_unix(sudo:session): session opened for user root by admin(uid=0)
log message here
pam_unix(sudo:session): session closed for user root

How do I set my logs only to send to my custom log file? And how do I filter these pam messages to be not included?

Thank you

Gwynn
  • 3
  • 5

1 Answers1

2

Logging to multiple locations is perfectly allowed, so if you did not change the default configuration which logs most things to /var/log/messages, then they will continue to be logged there.

The config file /etc/rsyslog.conf contains, among other things:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

You might add a property-based filter to discard messages after you have logged them once, based on various properties of the message. For example: After logging it once, the property-based filter will discard the message, preventing later configurations from logging it (the tilde means to discard the message and not process it further):

:fromhost-ip, isequal, '123.123.123.123' /var/log/{{hostname}}.log
:fromhost-ip, isequal, '123.123.123.123' ~

You're getting pam messages, because you used sudo, not because you ran logger. You will get those every time you run sudo. If you do not want to see them in the log, do not run sudo. It isn't necessary to use sudo to run logger anyway.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Hi, I tried replacing my config to what you gave me but now it won't store the logs on my custom log file, but it's still logged on my messages log. Do I have to create another `:fromhost-ip, isequal, '127.0.0.1' /var/log/messages` so it will be separated from each other? – Gwynn Jun 17 '20 at 05:20
  • @Gwynn What changes did you make to your configuration? – Michael Hampton Jun 17 '20 at 05:21
  • this one: `:fromhost-ip, isequal, '123.123.123.123' /var/log/{{hostname}}.log` I tried changing it using `if $fromhost-ip == 123.123.123.123 then /var/log/{{hostname}}.log ` and `if $fromhost-ip == 123.123.123.123 then ~` but it still logs on both logfile, do I have to change my central server's log file so it logs on a separate log file and not messages? – Gwynn Jun 17 '20 at 05:27
  • Tried this [link](https://www.rsyslog.com/article60/) now I have three log files with the same content? I'm getting confused. – Gwynn Jun 17 '20 at 05:33
  • I'm dumb, I just had to place it before the default rules so it would "hit" the ~ first before entering the other rules. Thanks man! – Gwynn Jun 18 '20 at 04:29