2

I have a number of Yealink SIP phones at different locations that I am trying to centralize log collection for.

I have set up a CentOS server at my main location with rsyslog. I am forwarding all traffic from UDP 514 to this server.

There is no way to specify a unique identifier to be sent with the logs from the Yealink phones. (I have already sent a feature request to the manufacturer). I'm thinking this may be my only option.

There is also no way to specify the port syslog is sent from on the phone.

Currently my logs are being separated by the IP address they are coming from, so a folder with each WAN IP is created and all the logs from that remote IP are dumped into a single file in that folder.

This means if I have 5 phones at one location all of their logs go into a single file.

How can I get them to separate to an individual log for each device within that folder?

This is my current directive: $template FILENAME,"/var/log/%fromhost-ip%/syslog.log"

This is my rule: *.* ?FILENAME

ButteredToastMan
  • 21
  • 5
  • The `%hostname%` property for each phone is not unique? Are they assigned IP from DHCP? (Will they take a hostname?) – Aaron Copley Sep 21 '15 at 16:07
  • The hostname property is not unique, they are all set to SIP-T26P by default. I can modify this by provisioning the phone and I have done so on my testing phone (changed it to 200102). However even after changing my directive to `$template FILENAME,"/var/log/%hostname%/syslog.log"` it still names the directory after the IP address. I did restart the rsyslog service after. – ButteredToastMan Sep 21 '15 at 16:33
  • I believe that `%hostname%` is resolved by DNS. If you've only changed what the phone things it's hostname is, the syslog server still won't know and fallback to IP. – Aaron Copley Sep 21 '15 at 17:31
  • Nevermind, it's `%fromhost%` that is DNS resolved on the logger. The `%hostname%` property is set by the sender in the message. So, you may not be able to change that on the sending side, but you could use rsyslog's property replacer to transform a field. You could use an intermediary log server at each location to modify the field in transit. – Aaron Copley Sep 21 '15 at 17:34
  • It doesn't look like the phones send the %hostname% value and there is no place to turn it on. I can see in my DHCP server where it did assign the hostname 200102 to the device. I could use intermediary's, because then I could transform the local IP to the extension + location and forward it, but I'm looking at 70+ locations so not really feasible. – ButteredToastMan Sep 21 '15 at 18:48

0 Answers0