3

I'm trying to concentrate logs from multiple equipments from multiple clients on my RSYSLOG server.

My server runs on Debian 11 with RSYSLOG v8.2102

The configuration is quite simple at the moment: I've simply allowed UDP and TCP connections in /etc/rsyslog.conf and opened port 514 in UFW.

In /etc/rsyslog.d/ I add for each equipement a rule. For example, to match a Fortinet I add this rule in /etc/rsyslog.d/10-Fortinet-SiteName-ClientName.conf :

if $msg contains 'devid="FGT_SerialNumber"' then /ClientsLogs/ClientName/SiteName/Fortinet.log
& stop

It works as expected.

I would like to send all the remaining network traffic in another file that /var/log/syslog to help me identify problems such as a missing equipment configuration and prevent /var/log/syslog from growing (firewall logs are quite verbose!)

I've tried to filter using $fromhost-ip without luck:

if not $fromhost-ip == '127.0.0.1' then /ClientsLogs/Undefined.log
& stop

I'm sure it must be quite simple but I can't get it working!

Veera Nagireddy
  • 69
  • 2
Cool34
  • 33
  • 3

2 Answers2

0

I found this solution, but it breaks normal logging to /var/log/syslog :-(

Content of /etc/rsyslog.d/99-Undefined.conf

if $fromhost != '127.0.0.1' and $fromhost != 'localhost' and $fromhost != '`hostname`' then /ClientsLogs/Undefined.log
& stop
Cool34
  • 33
  • 3
0

Following on from your own answer, you cannot use '`hostname`' as a string and expect it to become, say, 'abc', where abc is your local host name. You can use backticks only in 2 forms: `echo $VARNAME` for some environment variable, or `cat filename` for some filename.

This is why your if statement is matching all input.

However, there is a pre-defined system property $myhostname that should hold the hostname, though I am not sure if it is a fully qualified domain name or not. You must use it with an extra $ prefix:

... and $fromhost != $$myhostname then ...
meuh
  • 1,288
  • 9
  • 11