Ubuntu: Rsyslog filter for logging router events (syslog server)



Question:

I am trying to configure rsyslog (Ubuntu 12.04 Server) to log events from a router. I found this old ubuntu forum post which got me most of the way there.

So far I am able to get the events logged from the router. However since I don't them logged in /var/log/syslog I am trying to set up a working filter in /etc/rsyslog.conf to put the logged events in /var/log/linksys.log. This is where I am having trouble.

  • First I tried filtering by the router ip address like this:

    :fromhost-ip, isequal, "192.168.2.1" /var/log/linksys.log  & ~  

    This successfully redirects the logs as I wanted, the only problem is now I am not getting any SSHD logs in auth.log. Needless to say this is not acceptable.

  • Next I tried filtering by the router name which appears in every event log:

    :msg,contains, "RV042" /var/log/linksys.log  & ~  

    Although this neither logs or blocks anything.

So I am stumped. I have no idea why SSHD is getting filtered with the :fromhost-ip filter. SSHD is local on the machine with rsyslog (192.168.2.2). I am thoroughly frustrated by this, any suggestions are much appreciated.


Solution:1

I figured it out! These links helped:

http://www.rsyslog.com/tag/udp/

http://www.rsyslog.com/doc/multi_ruleset.html

Here's what I did:

Opened up /etc/rsyslog.d/50-default.conf and at the top of the file, before other all of the default filters, I added:

# process remote messages  # define new ruleset and add rules to it:  $RuleSet remote  *.*           /var/log/linksys.log  # only messages not from 192.168.2.1 make it past this point    # bind ruleset to UDP listener  $InputUDPServerBindRuleset remote  # and activate it:  $UDPServerRun 514    # switch back to the default ruleset:  $RuleSet RSYSLOG_DefaultRuleset  


Solution:2

/etc/rsyslog.conf is not the right file to be editing. You really want to be setting up a separate .conf file:

$ sudo nano /etc/rsyslog.d/20-router.conf  

Then add the required configuration:

:fromhost-ip, isequal, "192.168.2.1" /var/log/linksys.log  & ~  

This shouldn't confuse any other log entries. Just tried this myself and it works fine.

Thanks to http://nickhumphreyit.blogspot.co.uk/2012/09/how-to-setup-syslog-server-on-ubuntu.html for giving me the answer, after giving up on the documentation.

You may want to add a logrotate file to /etc/logrotate.d/linksys too:

/var/log/linksys.log {         daily         rotate 7         delaycompress         compress         notifempty         missingok  }  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »