Home / server / Questions / 862857
Accepted
mivk
Asked: 2017-07-19 09:18:58 +0800 CST

rsyslog: log message from remote host to specific file

  • 772

I am trying to log messages from a specific remote host to a separate log file (and only to that file). I tried this:

# cat /etc/rsyslog.d/avs110door.conf 

if $fromhost == 'avs110' then /var/log/avs110-door.log
& stop

The log file is not created, and the messages form that host are still sent to user.log, syslog, messages and auth.log (depending on the facility).

I did run systemctl restart rsyslog.service and other .conf files from that directory do work as expected.

This is a Debian Jessie server with rsyslog version 8.4.2-1+deb8u2.

The messages in the wrong files are like this (so the remote hostname is indeed 'avs110' as in my .conf file condition):

Jul 18 18:27:19 avs110 sshd[781]: Server listening on :: port 22.
Jul 18 18:27:39 avs110 engine[844]: Finished initialization
Jul 18 18:44:20 avs110 engine[844]: Calling sip:[email protected]:5060
debian

1 Answers

  1. Best Answer

    It turned out that the $fromhost variable is not the host name as it appears in the message, but the fully qualified domain name. The message's hostname is in another variable: $hostname.

    So what I had tried didn't work, but any of the following do work to send logs from a specific host to a specific log file:

    • $hostname : as it appears in the message
    • $fromhost : FQDN from reverse lookup
    • $fromhost-ip : well, that one is obvious: the IP

    Or:

    if $hostname    == 'avs110'             then /var/log/avs110.log
& stop

if $fromhost    == 'avs110.example.com' then /var/log/avs110.log
& stop

if $fromhost-ip == '192.168.44.159'     then /var/log/avs110.log
& stop
    • 1