Posts Tagged ‘rsyslog’

rsyslog: redirect logs from certain host to a separate file

Thursday, November 30th, 2023

Linksys PAP2T-NA phone adapter is configured to send logs to a remote syslog server 10.11.0.10.

Enable UDP listener in /etc/rsyslog.conf and allow in it’s config a remote ip/subnet address:

module(load="imudp")
input(type="imudp" port="514")
$AllowedSender TCP, 10.11.0.0/16

Here is how logs look like after this (and sure after configuring your server’s ip as a syslog server on the remote device). Most likely they will appear in /var/log/syslog :

Nov 25 15:39:19 10.11.13.102 [1: 0]RTP Tx Dn
Nov 25 15:39:19 10.11.13.102 [1: 0]ENC INIT 8
Nov 25 15:39:19 10.11.13.102 [1: 0]RTP Tx Up (pt=8->0a48000a:18076)
Nov 25 15:39:19 10.11.13.102 CC: Remote Resume
Nov 25 15:39:19 10.11.13.102 CC: Connected
Nov 25 15:39:19 10.11.13.102 RTP: SSRC changed 787a1882->1df25275
Nov 25 15:39:29 10.11.13.102 syscfg_update_hdlr!!!
Nov 25 15:39:29 10.11.13.102 syscfg_update_hdlr!!!
Nov 25 15:39:51 10.11.13.102 syscfg_update_hdlr!!!


To redirect logs from remote host with ip address 10.11.13.102 do the following:


Create /etc/rsyslog.d/11-linksys-gw.conf with the following lines:


if $fromhost-ip == '10.11.13.102' then /var/log/linksys-gw.log
& stop


Create /var/log/linksys-gw.log empty file. At least in Debian you need to chown root:adm for this file.

Finally, restart rsyslog daemon. After that all logs going from remote ip-address 10.11.13.102 will be stored in a separate file.

rsyslog: slicing & dicing application log files

Wednesday, December 1st, 2021

Let’s slice log file of an application to store separate log files during each hour and keep them in separate directories accroding to the date.


Example for RTPEngine:

  1. create file /etc/rsyslog.d/10-rtpengine.conf

2. add to it the following settings:

template(
    name="rtpengine-tmpl" type="string"
    string="/var/log/rtpengine/%$NOW%/rtpengine-%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.%$HOUR%.log"
)

template(
    name="rtpengine-fmt" type="string"
    string="%timegenerated% %HOSTNAME% %syslogtag% %msg:::drop-last-lf%\n"
)

if $app-name == ["rtpengine"] then {
    action(type="omfile" dynaFile="rtpengine-tmpl" template="rtpengine-fmt")
    stop
}

3. restart rsyslog.

4. profit

screenshot of a config file
the result

Example for OpenSIPS:

  1. create /etc/rsyslog.d/20-opensips.conf
  2. add to it:
# :msg, startswith, "ACC:" /var/log/opensips/acc.log
# & stop
#
# :syslogtag, contains, "opensips" /var/log/opensips/opensips.log
# & stop

template(
	name="opensips-tmpl" type="string"
	string="/var/log/opensips/opensips/%$NOW%/opensips-%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.%$HOUR%.log"
)

template(
        name="opensips-acc-tmpl" type="string"
        string="/var/log/opensips/acc/%$NOW%/acc-%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.%$HOUR%.log"
)

template(
	name="opensips-fmt" type="string"
	string="%timegenerated% %HOSTNAME% [%procid%] %syslogseverity-text% %msg%\n"
)

if $syslogtag contains "opensips" and $msg contains "ACC:" then {
        action(type="omfile" dynaFile="opensips-acc-tmpl" template="opensips-fmt")
        stop
}

if $syslogtag contains "opensips" then {
	action(type="omfile" dynaFile="opensips-tmpl" template="opensips-fmt")
	stop
}

3. restart rsyslog.

rsyslog: do not collect logs from some application

Tuesday, June 26th, 2018

If there’s no settings in the application itself, you can configure rsyslog not to write apps logs.

CentOS 6.6, rsyslog 5.8.10-10.el6_6:
Asterisk is configured to write logs to remote syslog server (syslog02.core) but still writes not only there but also locally.
To prevent this:
create ‘/etc/rsyslog.d/10-asterisk.conf’ with lines

:syslogtag, contains, "asterisk" @syslog02.core
& stop

Debian 9.4 Stretch, rsyslog 8.24.0-1:
Asterisk is nt configured to write to remote syslog, but also writes everything to local rsyslog.
Create ‘/etc/rsyslog.d/10-asterisk.conf’:

if $programname == "asterisk" then {
stop
}

https://www.rsyslog.com/doc/v8-stable/configuration/filters.html
https://www.rsyslog.com/discarding-unwanted-messages/