1

I've been trying to configure rsyslog to forward /var/log/syslog to a remote server. I was able to do this using the below configuration.

$InputFileName /var/log/secure $InputFileTag hostname-secure $InputFileStateFile hostname-secure $InputFileSeverity info $InputRunFileMonitor *.* @address:514

This does forward /var/log/secure but I actually end up with two logs on the remote server. One tagged from localhost and one tagged from the hostname of the machine, which uses the FileTag specified above.

What do I need to add or remove to forward this log file to a remote machine with the FQDN and FileTag intact without also including a second copy from localhost?

Christopher Karel
  • 6,442
  • 1
  • 26
  • 34
071414
  • 11
  • 1
  • 2

1 Answers1

2

It's showing up twice because you're sending it twice.

The "*.* @address:514" is sending everything that this syslog (client) receives as input, which means both normal logs received by the syslog subsystem (i.e. read from /dev/log), and by reading /var/log/secure after it's been written to by syslog itself.

What you probably want to do is add: $InputFileFacility local0 (or some other locally unused localX facility) then change:

*.* @address:514

to local0.* @address:514

This will then ensure you are only forwarding to @address log lines that are read from /var/log/secure, with the additional tag that you want (assuming that the tag is an important thing you really want to see on the remote syslog server)

If the extra tag is unimportant, you simply don't need the InputFile* directives, and only need the forwarding (*.* @address:514). If you want to be selective, change *.* to just the logs you're interested in forwarding.

Craig Miskell
  • 4,086
  • 1
  • 15
  • 16