0

All over the web I find examples for either (1) rsyslog to a remote server or (2) rsyslog with templates, but never both. When I have this /etc/rsyslog.conf on my Mac it sends to the remote server fine:

*.* @10.1.38.223

But when I change to this, no network traffic is sent out to the remote server (verified with tcpdump):

$template MyTemplate, "MacOSX %msg%"
*.* @10.1.38.223;MyTemplate

Is it not possible to append extra text like this to messages logged remotely?

iwaseatenbyagrue
  • 3,588
  • 12
  • 22
armani
  • 420
  • 9
  • 26
  • What's your rsyslog version? – SYN Mar 09 '17 at 00:57
  • @SYN I actually can't find a way to determine that. Do you know how? If it helps, I'm on Mac OS X El Capitan. – armani Mar 09 '17 at 01:00
  • Don't you have man pages, on Mac? Versions are usually showing there – SYN Mar 09 '17 at 01:04
  • @SYN I tried. `man syslogd` doesn't show version info on the man page. Only useful info is `The syslogd utility appeared in 4.3BSD` and `The Apple System Log facility was introduced in Mac OS X 10.4.` – armani Mar 09 '17 at 01:07
  • 1
    ... FYI syslogd and rsyslog are two very different things. check man rsyslogd in doubt. syslogd won't have templates like rsyslogd. – SYN Mar 09 '17 at 01:17
  • @SYN Understood, but there's no `man` entry for `rsyslog` or `rsyslogd` – armani Mar 09 '17 at 16:51

1 Answers1

0

As mentionned by @SYN, the syntax is correct for rsyslog, but not syslogd.

As far as I can tell from https://linux.die.net/man/5/syslog.conf and https://linux.die.net/man/8/syslogd, there is no option to format your logs.

But that isn't necessarily an issue: assuming you have rsyslog on your remote server, you can apply the template there. Either to incoming events, or only to the events you are actually going to keep.

If you have several different OSes you are pulling logs from, doing that might end up being simpler to manage, too.

iwaseatenbyagrue
  • 3,588
  • 12
  • 22
  • The problem is tagging at the remote end. I'm trying to tag logs "MacOSX," "Windows," "Linux," "Palo Alto Firewall," "Cisco IOS," etc. but some of these log sources send too simple of syslog messages. The only way I could tell the messages spewing out of my Mac is from a Mac is perhaps by the IP address, but we have so many subnets running DHCP with varying device types inside that that's not reliable. – armani Mar 09 '17 at 16:54
  • I see - might some kind of hostname convention help? If not, for Mac, is there any option to add an agent? Something like say logstash (https://www.elastic.co/products/logstash) would allow you to work around the limitation for Mac, and could also potentially be used on Windows to pull e.g. the EventLog. – iwaseatenbyagrue Mar 09 '17 at 17:09
  • Our fleet is so large and vast I was hoping not to have to deploy new software. And hostname convention is a joke around here; every so often IT changes its mind on how hostnames look, and are inconsistent. – armani Mar 09 '17 at 17:22
  • 2
    I recognise that pain. OK, how about having Macs send to some specific port other than 514? – iwaseatenbyagrue Mar 09 '17 at 17:35
  • You're a freaking genius. `*.* @10.1.38.223:1988` is all I need to set (1988 being an arbitrarily non-514 port) and when I catch the traffic I can tag based on the listener I setup on that port. Thanks!!! Accepting answer even though the real answer was in these comments. lol – armani Mar 09 '17 at 18:26