Background:
I have a lil Raspberry Pi server running the latest Raspbian OS running a number of network appliances to help manage a complex IOT LAN for a client.
I have been using rsyslog to write logs from the network hardware and servers to an external drive, mounted to /media/syslog. This is working fine. No, I can't write them to /var/log, because I'm generating hundreds of megabytes of logfiles per day, and I need to archive them uncompressed. Again, this is working flawlessly.
The Problem:
Every single event that is written to the logs in /media/syslog is also written to /var/log/syslog.
I really cannot overstate how incredibly annoying this is, especially since the volume of logs from the client devices is so enormous that even extremely generous logrotate settings mean I've got about 24 hours of syslog history on the server, maximum. By the time a problem is noticed and reported to me (within a day or two, usually), the logs have fully rotated out.
How to I prevent those remote clients' logs from ending up in /var/log/syslog?
I've seen a bunch of posts saying I need to do something with *.*;auth,authpriv.none -/var/log/syslog but I haven't the foggiest idea how to mess with syslog facilities or what it would even look like for this particular situation, so if you're about to tell me to something along those lines, I'm gonna need you to explain in excruciating detail exactly what to cut and paste where.
Attached are my settings for rsyslog.conf...
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="4565")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="4565")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
...and rsyslog.d/00-remotes.conf
$template NetworkLog1, "/media/syslog/%FROMHOST-IP%.log"
:fromhost-ip, isequal, "192.168.2.1" -?NetworkLog1
:fromhost-ip, isequal, "192.168.2.124" -?NetworkLog1
:fromhost-ip, isequal, "192.168.2.160" -?NetworkLog1
& stop
