I am trying to setup an Rsyslog with the following configuration: I listen to the 514 port to receive data from different hosts: 172.16.111.222, 172.16.111.111 and 172.16.222.111. And I want to store thoses logs in different folder for each host. So I did this conf:
$ModLoad imudp
$Ruleset RemoteConnections
$RulesetCreateMainQueue on
$ActionQueueType LinkedList
$ActionQueueFileName dbremotecons
$ActionResumeRetryCount -1
*.* ~
$InputUDPServerBindRuleset RemoteConnections
$UDPServerRun 514
if $fromhost-ip=='172.16.111.222' then /var/log/prod1/%FROMHOST-IP%/%syslogfacility-text%.log
& ~
if $fromhost-ip=='172.16.111.111' then /var/log/prod1/%FROMHOST-IP%/%syslogfacility-text%.log
& ~
if $fromhost-ip=='172.16.222.111' then /var/log/product2/%FROMHOST-IP%/%syslogfacility-text%.log
& ~Unfortunately, it is not working, rsyslog is not logging anything. I am not sure what "& ~" means, I found that on internet.
Any ideas to make it work ?
2 Answers
You can't use placeholders directly in the rules. Use templates instead. The following should work:
$template DynaFile,"/var/log/%FROMHOST-IP%/%syslogfacility-text%.log"
*.* -?DynaFileOr, to be closer to your code:
$template prod1,"/var/log/prod1/%FROMHOST-IP%/%syslogfacility-text%.log"
$template prod2,"/var/log/prod2/%FROMHOST-IP%/%syslogfacility-text%.log"
if $fromhost-ip=='172.16.111.111' then ?prod1
if $fromhost-ip=='172.16.111.222' then ?prod1
if $fromhost-ip=='172.16.222.111' then ?prod2"~" means discard or stop, which is a rsyslog "action".
So:
if $fromhost-ip=='172.16.111.222' then /var/log/prod1/%FROMHOST-IP%/%syslogfacility-text%.log
& ~means that if the "if ... then ..." statement works, i.e. the condition is met and message is logged into a file, then stop - do not proceed any further.
