Sending user specific logs from one host to other using rsyslog












0














I am using rsyslog server running on localhost(centos) and remote machine(ubuntu).I am able to send the logs from localhost to remote server using TCP connection and UDP connection able to see the logs in remote server.
My localhost config :



 # rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log




*.* @@192.168.122.50:514


My remote server config:



      /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
$ModLoad imtcp
$InputTCPServerRun 514
$AllowedSender TCP, 192.168.0.0/8
#$ModLoad immark # provides --MARK-- message capability
$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
$template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

authpriv.* ?TmplAuth
*.info;mail.none;authpriv.none;cron.none ?TmplMsg

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

authpriv.* /var/log/secgw-siglogs;RSYSLOG_FileFormat

$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
:source, !isequal, "localhost" -?RemoteStore
:source, isequal, "last" ~$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
:source, !isequal, "localhost" -?RemoteStore
:source, isequal, "last" ~


Now i have to send some user specific logs not all kernel logs,auth logs which are present in /var/log location,Is there any configuration need to be modified ?










share|improve this question





























    0














    I am using rsyslog server running on localhost(centos) and remote machine(ubuntu).I am able to send the logs from localhost to remote server using TCP connection and UDP connection able to see the logs in remote server.
    My localhost config :



     # rsyslog configuration file

    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

    #### MODULES ####

    # The imjournal module bellow is now used as a message source instead of imuxsock.
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    #$ModLoad imklog # reads kernel messages (the same are read from journald)
    #$ModLoad immark # provides --MARK-- message capability

    # Provides UDP syslog reception
    #$ModLoad imudp
    #$UDPServerRun 514

    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514


    #### GLOBAL DIRECTIVES ####

    # Where to place auxiliary files
    $WorkDirectory /var/lib/rsyslog

    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on

    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf

    # Turn off message reception via local log socket;
    # local messages are retrieved through imjournal now.
    $OmitLocalLogging on

    # File to store the position in the journal
    $IMJournalStateFile imjournal.state


    #### RULES ####

    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console

    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none /var/log/messages

    # The authpriv file has restricted access.
    authpriv.* /var/log/secure

    # Log all the mail messages in one place.
    mail.* -/var/log/maillog


    # Log cron stuff
    cron.* /var/log/cron

    # Everybody gets emergency messages
    *.emerg :omusrmsg:*

    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log
    local7.* /var/log/boot.log




    *.* @@192.168.122.50:514


    My remote server config:



          /etc/rsyslog.conf Configuration file for rsyslog.
    #
    # For more information see
    # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
    #
    # Default logging rules can be found in /etc/rsyslog.d/50-default.conf


    #################
    #### MODULES ####
    #################

    $ModLoad imuxsock # provides support for local system logging
    $ModLoad imklog # provides kernel logging support
    $ModLoad imtcp
    $InputTCPServerRun 514
    $AllowedSender TCP, 192.168.0.0/8
    #$ModLoad immark # provides --MARK-- message capability
    $template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
    $template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

    authpriv.* ?TmplAuth
    *.info;mail.none;authpriv.none;cron.none ?TmplMsg

    # provides UDP syslog reception
    #$ModLoad imudp
    #$UDPServerRun 514

    # provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514

    # Enable non-kernel facility klog messages
    $KLogPermitNonKernelFacility on

    ###########################
    #### GLOBAL DIRECTIVES ####
    ###########################

    #
    # Use traditional timestamp format.
    # To enable high precision timestamps, comment out the following line.
    #
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

    # Filter duplicated messages
    $RepeatedMsgReduction on

    #
    # Set the default permissions for all log files.
    #
    $FileOwner syslog
    $FileGroup adm
    $FileCreateMode 0640
    $DirCreateMode 0755
    $Umask 0022
    $PrivDropToUser syslog
    $PrivDropToGroup syslog

    #
    # Include all config files in /etc/rsyslog.d/
    #
    $IncludeConfig /etc/rsyslog.d/*.conf

    authpriv.* /var/log/secgw-siglogs;RSYSLOG_FileFormat

    $template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
    :source, !isequal, "localhost" -?RemoteStore
    :source, isequal, "last" ~$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
    :source, !isequal, "localhost" -?RemoteStore
    :source, isequal, "last" ~


    Now i have to send some user specific logs not all kernel logs,auth logs which are present in /var/log location,Is there any configuration need to be modified ?










    share|improve this question



























      0












      0








      0







      I am using rsyslog server running on localhost(centos) and remote machine(ubuntu).I am able to send the logs from localhost to remote server using TCP connection and UDP connection able to see the logs in remote server.
      My localhost config :



       # rsyslog configuration file

      # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
      # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

      #### MODULES ####

      # The imjournal module bellow is now used as a message source instead of imuxsock.
      $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
      $ModLoad imjournal # provides access to the systemd journal
      #$ModLoad imklog # reads kernel messages (the same are read from journald)
      #$ModLoad immark # provides --MARK-- message capability

      # Provides UDP syslog reception
      #$ModLoad imudp
      #$UDPServerRun 514

      # Provides TCP syslog reception
      #$ModLoad imtcp
      #$InputTCPServerRun 514


      #### GLOBAL DIRECTIVES ####

      # Where to place auxiliary files
      $WorkDirectory /var/lib/rsyslog

      # Use default timestamp format
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

      # File syncing capability is disabled by default. This feature is usually not required,
      # not useful and an extreme performance hit
      #$ActionFileEnableSync on

      # Include all config files in /etc/rsyslog.d/
      $IncludeConfig /etc/rsyslog.d/*.conf

      # Turn off message reception via local log socket;
      # local messages are retrieved through imjournal now.
      $OmitLocalLogging on

      # File to store the position in the journal
      $IMJournalStateFile imjournal.state


      #### RULES ####

      # Log all kernel messages to the console.
      # Logging much else clutters up the screen.
      #kern.* /dev/console

      # Log anything (except mail) of level info or higher.
      # Don't log private authentication messages!
      *.info;mail.none;authpriv.none;cron.none /var/log/messages

      # The authpriv file has restricted access.
      authpriv.* /var/log/secure

      # Log all the mail messages in one place.
      mail.* -/var/log/maillog


      # Log cron stuff
      cron.* /var/log/cron

      # Everybody gets emergency messages
      *.emerg :omusrmsg:*

      # Save news errors of level crit and higher in a special file.
      uucp,news.crit /var/log/spooler

      # Save boot messages also to boot.log
      local7.* /var/log/boot.log




      *.* @@192.168.122.50:514


      My remote server config:



            /etc/rsyslog.conf Configuration file for rsyslog.
      #
      # For more information see
      # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
      #
      # Default logging rules can be found in /etc/rsyslog.d/50-default.conf


      #################
      #### MODULES ####
      #################

      $ModLoad imuxsock # provides support for local system logging
      $ModLoad imklog # provides kernel logging support
      $ModLoad imtcp
      $InputTCPServerRun 514
      $AllowedSender TCP, 192.168.0.0/8
      #$ModLoad immark # provides --MARK-- message capability
      $template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
      $template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

      authpriv.* ?TmplAuth
      *.info;mail.none;authpriv.none;cron.none ?TmplMsg

      # provides UDP syslog reception
      #$ModLoad imudp
      #$UDPServerRun 514

      # provides TCP syslog reception
      #$ModLoad imtcp
      #$InputTCPServerRun 514

      # Enable non-kernel facility klog messages
      $KLogPermitNonKernelFacility on

      ###########################
      #### GLOBAL DIRECTIVES ####
      ###########################

      #
      # Use traditional timestamp format.
      # To enable high precision timestamps, comment out the following line.
      #
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

      # Filter duplicated messages
      $RepeatedMsgReduction on

      #
      # Set the default permissions for all log files.
      #
      $FileOwner syslog
      $FileGroup adm
      $FileCreateMode 0640
      $DirCreateMode 0755
      $Umask 0022
      $PrivDropToUser syslog
      $PrivDropToGroup syslog

      #
      # Include all config files in /etc/rsyslog.d/
      #
      $IncludeConfig /etc/rsyslog.d/*.conf

      authpriv.* /var/log/secgw-siglogs;RSYSLOG_FileFormat

      $template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
      :source, !isequal, "localhost" -?RemoteStore
      :source, isequal, "last" ~$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
      :source, !isequal, "localhost" -?RemoteStore
      :source, isequal, "last" ~


      Now i have to send some user specific logs not all kernel logs,auth logs which are present in /var/log location,Is there any configuration need to be modified ?










      share|improve this question















      I am using rsyslog server running on localhost(centos) and remote machine(ubuntu).I am able to send the logs from localhost to remote server using TCP connection and UDP connection able to see the logs in remote server.
      My localhost config :



       # rsyslog configuration file

      # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
      # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

      #### MODULES ####

      # The imjournal module bellow is now used as a message source instead of imuxsock.
      $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
      $ModLoad imjournal # provides access to the systemd journal
      #$ModLoad imklog # reads kernel messages (the same are read from journald)
      #$ModLoad immark # provides --MARK-- message capability

      # Provides UDP syslog reception
      #$ModLoad imudp
      #$UDPServerRun 514

      # Provides TCP syslog reception
      #$ModLoad imtcp
      #$InputTCPServerRun 514


      #### GLOBAL DIRECTIVES ####

      # Where to place auxiliary files
      $WorkDirectory /var/lib/rsyslog

      # Use default timestamp format
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

      # File syncing capability is disabled by default. This feature is usually not required,
      # not useful and an extreme performance hit
      #$ActionFileEnableSync on

      # Include all config files in /etc/rsyslog.d/
      $IncludeConfig /etc/rsyslog.d/*.conf

      # Turn off message reception via local log socket;
      # local messages are retrieved through imjournal now.
      $OmitLocalLogging on

      # File to store the position in the journal
      $IMJournalStateFile imjournal.state


      #### RULES ####

      # Log all kernel messages to the console.
      # Logging much else clutters up the screen.
      #kern.* /dev/console

      # Log anything (except mail) of level info or higher.
      # Don't log private authentication messages!
      *.info;mail.none;authpriv.none;cron.none /var/log/messages

      # The authpriv file has restricted access.
      authpriv.* /var/log/secure

      # Log all the mail messages in one place.
      mail.* -/var/log/maillog


      # Log cron stuff
      cron.* /var/log/cron

      # Everybody gets emergency messages
      *.emerg :omusrmsg:*

      # Save news errors of level crit and higher in a special file.
      uucp,news.crit /var/log/spooler

      # Save boot messages also to boot.log
      local7.* /var/log/boot.log




      *.* @@192.168.122.50:514


      My remote server config:



            /etc/rsyslog.conf Configuration file for rsyslog.
      #
      # For more information see
      # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
      #
      # Default logging rules can be found in /etc/rsyslog.d/50-default.conf


      #################
      #### MODULES ####
      #################

      $ModLoad imuxsock # provides support for local system logging
      $ModLoad imklog # provides kernel logging support
      $ModLoad imtcp
      $InputTCPServerRun 514
      $AllowedSender TCP, 192.168.0.0/8
      #$ModLoad immark # provides --MARK-- message capability
      $template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
      $template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

      authpriv.* ?TmplAuth
      *.info;mail.none;authpriv.none;cron.none ?TmplMsg

      # provides UDP syslog reception
      #$ModLoad imudp
      #$UDPServerRun 514

      # provides TCP syslog reception
      #$ModLoad imtcp
      #$InputTCPServerRun 514

      # Enable non-kernel facility klog messages
      $KLogPermitNonKernelFacility on

      ###########################
      #### GLOBAL DIRECTIVES ####
      ###########################

      #
      # Use traditional timestamp format.
      # To enable high precision timestamps, comment out the following line.
      #
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

      # Filter duplicated messages
      $RepeatedMsgReduction on

      #
      # Set the default permissions for all log files.
      #
      $FileOwner syslog
      $FileGroup adm
      $FileCreateMode 0640
      $DirCreateMode 0755
      $Umask 0022
      $PrivDropToUser syslog
      $PrivDropToGroup syslog

      #
      # Include all config files in /etc/rsyslog.d/
      #
      $IncludeConfig /etc/rsyslog.d/*.conf

      authpriv.* /var/log/secgw-siglogs;RSYSLOG_FileFormat

      $template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
      :source, !isequal, "localhost" -?RemoteStore
      :source, isequal, "last" ~$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"
      :source, !isequal, "localhost" -?RemoteStore
      :source, isequal, "last" ~


      Now i have to send some user specific logs not all kernel logs,auth logs which are present in /var/log location,Is there any configuration need to be modified ?







      linux syslog rsyslog






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 '18 at 4:51

























      asked Nov 19 '18 at 13:48









      rohit

      146




      146
























          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53376030%2fsending-user-specific-logs-from-one-host-to-other-using-rsyslog%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53376030%2fsending-user-specific-logs-from-one-host-to-other-using-rsyslog%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          'app-layout' is not a known element: how to share Component with different Modules

          android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

          WPF add header to Image with URL pettitions [duplicate]