I am trying to configure rsyslog (Ubuntu 12.04 Server) to log events from a router. I found this old ubuntu forum post which got me most of the way there.
So far I am able to get the events logged from the router. However since I don't them logged in /var/log/syslog I am trying to set up a working filter in /etc/rsyslog.conf to put the logged events in /var/log/linksys.log. This is where I am having trouble.
First I tried filtering by the router ip address like this:
:fromhost-ip, isequal, "192.168.2.1" /var/log/linksys.log & ~This successfully redirects the logs as I wanted, the only problem is now I am not getting any SSHD logs in auth.log. Needless to say this is not acceptable.
Next I tried filtering by the router name which appears in every event log:
:msg,contains, "RV042" /var/log/linksys.log & ~Although this neither logs or blocks anything.
So I am stumped. I have no idea why SSHD is getting filtered with the :fromhost-ip filter. SSHD is local on the machine with rsyslog (192.168.2.2). I am thoroughly frustrated by this, any suggestions are much appreciated.
I figured it out! These links helped:
http://www.rsyslog.com/tag/udp/
http://www.rsyslog.com/doc/multi_ruleset.html
Here's what I did:
Opened up
/etc/rsyslog.d/50-default.confand at the top of the file, before other all of the default filters, I added:/etc/rsyslog.confis not the right file to be editing. You really want to be setting up a separate.conffile:Then add the required configuration:
This shouldn't confuse any other log entries. Just tried this myself and it works fine.
Thanks to http://nickhumphreyit.blogspot.co.uk/2012/09/how-to-setup-syslog-server-on-ubuntu.html for giving me the answer, after giving up on the documentation.
You may want to add a
logrotatefile to/etc/logrotate.d/linksystoo: