Setup for rsyslog to log from two network devices
I have 2 VOIP devices on my network (ht502 and ht704) which are both capable of sending their log info as syslog data. Receiver is a little Raspberry on Raspbian.
I wanted to configure syslog to receive messages from both VOIP devices and store them into their respective (different) log files. So far I failed to accomplish that.
I enabled syslog (by uncommenting the below lines in /etc/rsyslog.conf):
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514I created two files in /etc/rsyslog.d/ as follows.
ht704.conf
$template NetworkLog, "/var/log/ht704.log"
:fromhost-ip, isequal, "192.168.11.160" -?NetworkLog
ht502.conf
$template NetworkLog, "/var/log/ht502.log"
:fromhost-ip, isequal, "192.168.11.162" -?NetworkLogNote the respective different IP addresses.
And restarted the serice:
service rsyslog restartIt turns out however that all output lands in the /var/log/ht502.log file.
Example:
Nov 7 19:05:39 HT-502 [00: 0B:82:42:31:62]: [1.0.14.1] NAT::checkNAT: detected NAT environment for account 1
Nov 7 19:05:39 HT-502 [00: 0B:82:42:31:62]: [1.0.14.1] NAT::addPortMapping(STUN), iport = 49260
Nov 7 19:05:39 HT704 [00: 0B:82:65:DD:1C] [1.0.5.10]:System uptime: 1846
Nov 7 19:05:39 HT704 [00: 0B:82:65:DD:1C] [1.0.5.10]:System memory: 13213696/724992/0/794624
Nov 7 19:05:40 HT-502 [00: 0B:82:42:31:62]: [1.0.14.1] SIPClientTransaction::sendRequest: Request 15 is sent
Nov 7 19:05:40 HT-502 [00: 0B:82:42:31:62]: [1.0.14.1] SIPStack(0)::run: Active transactions: 2On top of all I actually just noticed that the messages from the VOIP devices also unexpectedly showed up in /var/log/messages and /var/log/syslog. I don't think they should show up there. Or should they?
Any idea what's missing?
1 Answer
TL;DR :
Your templates are clobbering each other(although they do not seem to be inherited by other .conf files, they are conflicting - your guess is as good as mine).
Rename NetworkLog to a unique name per file.
Add & ~ as the last line in ht704.conf and ht502.conf
Alternative(cleaner):
create a single .conf file in /etc/rsyslog.d/ containing the following:
:fromhost-ip, isequal, "192.168.11.160" /var/log/ht704.log
& ~
:fromhost-ip, isequal, "192.168.11.162" /var/log/ht502.log
& ~with formatters example:
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
:fromhost-ip, isequal, "192.168.11.160" /var/log/ht704.log;RFC3164fmt
:fromhost-ip, isequal, "192.168.11.162" /var/log/ht502.log;RFC3164fmt
& ~
Long Version :
I recently found myself struggling to understand the precedence and syntax of these files and and found this question while googling. I would like to link to the documentation but I found it terribly hard to parse and it seems there is already an incentive to improve it underway here: As a result, most of the advice comes from empirical evidence(things I tried).
TIL:
The FILENAMEs in /etc/rsyslog.d are operated on with alphabetical precedence[collation dependent](i.e. why the default is named 50-default.conf). As an example I was trying to have multiple output files with different formatting based on the same rule/condition ( :fromhost-ip, etc. ); the answer was to have the first file read(alphabetically/collationally) do whatever and exclude the STOP (& ~) while presenting a different output to the second file(alphabetically/collationally) AND **including the STOP (& ~) .
The first file in this example was named 10-ddwrt.conf and the second was named 15-ddwrt.conf.
Hope this helps and please feel free to improve upon it. I specifically did not get into the "new" syntax as it is incompatible with older version of rsyslog.
More in general
"Zoraya ter Beek, age 29, just died by assisted suicide in the Netherlands. She was physically healthy, but psychologically depressed. It's an abomination that an entire society would actively facilitate, even encourage, someone ending their own life because they had no hope. Th…"
