Sending user specific logs from one host to other using rsyslog

I am using rsyslog server running on localhost(centos) and remote machine(ubuntu).I am able to send the logs from localhost to remote server using TCP connection and UDP connection able to see the logs in remote server.
My localhost config :

 # rsyslog configuration file



# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html



#### MODULES ####



# The imjournal module bellow is now used as a message source instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

#$ModLoad imklog # reads kernel messages (the same are read from journald)

#$ModLoad immark  # provides --MARK-- message capability



# Provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514



# Provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514





#### GLOBAL DIRECTIVES ####



# Where to place auxiliary files

$WorkDirectory /var/lib/rsyslog



# Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# File syncing capability is disabled by default. This feature is usually not required,

# not useful and an extreme performance hit

#$ActionFileEnableSync on



# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf



# Turn off message reception via local log socket;

# local messages are retrieved through imjournal now.

$OmitLocalLogging on



# File to store the position in the journal

$IMJournalStateFile imjournal.state





#### RULES ####



# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.*                                                 /dev/console



# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                /var/log/messages



# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure



# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog





# Log cron stuff

cron.*                                                  /var/log/cron



# Everybody gets emergency messages

*.emerg                                                 :omusrmsg:*



# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          /var/log/spooler



# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log









*.* @@192.168.122.50:514

My remote server config:

      /etc/rsyslog.conf Configuration file for rsyslog.

#

#           For more information see

#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

#

#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf





#################

#### MODULES ####

#################



$ModLoad imuxsock # provides support for local system logging

$ModLoad imklog   # provides kernel logging support

$ModLoad imtcp

$InputTCPServerRun 514

$AllowedSender TCP, 192.168.0.0/8

#$ModLoad immark  # provides --MARK-- message capability

$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

$template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"



authpriv.* ?TmplAuth

*.info;mail.none;authpriv.none;cron.none ?TmplMsg



# provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514



# provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514



# Enable non-kernel facility klog messages

$KLogPermitNonKernelFacility on



###########################

#### GLOBAL DIRECTIVES ####

###########################



#

# Use traditional timestamp format.

# To enable high precision timestamps, comment out the following line.

#

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# Filter duplicated messages

$RepeatedMsgReduction on



#

# Set the default permissions for all log files.

#

$FileOwner syslog

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

$PrivDropToUser syslog

$PrivDropToGroup syslog



#

# Include all config files in /etc/rsyslog.d/

#

$IncludeConfig /etc/rsyslog.d/*.conf



authpriv.*                            /var/log/secgw-siglogs;RSYSLOG_FileFormat



$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"

:source, !isequal, "localhost" -?RemoteStore

:source, isequal, "last" ~$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"

:source, !isequal, "localhost" -?RemoteStore

:source, isequal, "last" ~

Now i have to send some user specific logs not all kernel logs,auth logs which are present in /var/log location,Is there any configuration need to be modified ?

edited Nov 21 '18 at 4:51

asked Nov 19 '18 at 13:48

rohit

146

add a comment |

 # rsyslog configuration file



# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html



#### MODULES ####



# The imjournal module bellow is now used as a message source instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

#$ModLoad imklog # reads kernel messages (the same are read from journald)

#$ModLoad immark  # provides --MARK-- message capability



# Provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514



# Provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514





#### GLOBAL DIRECTIVES ####



# Where to place auxiliary files

$WorkDirectory /var/lib/rsyslog



# Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# File syncing capability is disabled by default. This feature is usually not required,

# not useful and an extreme performance hit

#$ActionFileEnableSync on



# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf



# Turn off message reception via local log socket;

# local messages are retrieved through imjournal now.

$OmitLocalLogging on



# File to store the position in the journal

$IMJournalStateFile imjournal.state





#### RULES ####



# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.*                                                 /dev/console



# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                /var/log/messages



# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure



# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog





# Log cron stuff

cron.*                                                  /var/log/cron



# Everybody gets emergency messages

*.emerg                                                 :omusrmsg:*



# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          /var/log/spooler



# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log









*.* @@192.168.122.50:514

My remote server config:

      /etc/rsyslog.conf Configuration file for rsyslog.

#

#           For more information see

#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

#

#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf





#################

#### MODULES ####

#################



$ModLoad imuxsock # provides support for local system logging

$ModLoad imklog   # provides kernel logging support

$ModLoad imtcp

$InputTCPServerRun 514

$AllowedSender TCP, 192.168.0.0/8

#$ModLoad immark  # provides --MARK-- message capability

$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

$template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"



authpriv.* ?TmplAuth

*.info;mail.none;authpriv.none;cron.none ?TmplMsg



# provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514



# provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514



# Enable non-kernel facility klog messages

$KLogPermitNonKernelFacility on



###########################

#### GLOBAL DIRECTIVES ####

###########################



#

# Use traditional timestamp format.

# To enable high precision timestamps, comment out the following line.

#

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# Filter duplicated messages

$RepeatedMsgReduction on



#

# Set the default permissions for all log files.

#

$FileOwner syslog

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

$PrivDropToUser syslog

$PrivDropToGroup syslog



#

# Include all config files in /etc/rsyslog.d/

#

$IncludeConfig /etc/rsyslog.d/*.conf



authpriv.*                            /var/log/secgw-siglogs;RSYSLOG_FileFormat



$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"

:source, !isequal, "localhost" -?RemoteStore

:source, isequal, "last" ~$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"

:source, !isequal, "localhost" -?RemoteStore

:source, isequal, "last" ~

Now i have to send some user specific logs not all kernel logs,auth logs which are present in /var/log location,Is there any configuration need to be modified ?

edited Nov 21 '18 at 4:51

asked Nov 19 '18 at 13:48

rohit

146

add a comment |

 # rsyslog configuration file



# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html



#### MODULES ####



# The imjournal module bellow is now used as a message source instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

#$ModLoad imklog # reads kernel messages (the same are read from journald)

#$ModLoad immark  # provides --MARK-- message capability



# Provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514



# Provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514





#### GLOBAL DIRECTIVES ####



# Where to place auxiliary files

$WorkDirectory /var/lib/rsyslog



# Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# File syncing capability is disabled by default. This feature is usually not required,

# not useful and an extreme performance hit

#$ActionFileEnableSync on



# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf



# Turn off message reception via local log socket;

# local messages are retrieved through imjournal now.

$OmitLocalLogging on



# File to store the position in the journal

$IMJournalStateFile imjournal.state





#### RULES ####



# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.*                                                 /dev/console



# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                /var/log/messages



# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure



# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog





# Log cron stuff

cron.*                                                  /var/log/cron



# Everybody gets emergency messages

*.emerg                                                 :omusrmsg:*



# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          /var/log/spooler



# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log









*.* @@192.168.122.50:514

My remote server config:

      /etc/rsyslog.conf Configuration file for rsyslog.

#

#           For more information see

#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

#

#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf





#################

#### MODULES ####

#################



$ModLoad imuxsock # provides support for local system logging

$ModLoad imklog   # provides kernel logging support

$ModLoad imtcp

$InputTCPServerRun 514

$AllowedSender TCP, 192.168.0.0/8

#$ModLoad immark  # provides --MARK-- message capability

$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

$template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"



authpriv.* ?TmplAuth

*.info;mail.none;authpriv.none;cron.none ?TmplMsg



# provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514



# provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514



# Enable non-kernel facility klog messages

$KLogPermitNonKernelFacility on



###########################

#### GLOBAL DIRECTIVES ####

###########################



#

# Use traditional timestamp format.

# To enable high precision timestamps, comment out the following line.

#

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# Filter duplicated messages

$RepeatedMsgReduction on



#

# Set the default permissions for all log files.

#

$FileOwner syslog

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

$PrivDropToUser syslog

$PrivDropToGroup syslog



#

# Include all config files in /etc/rsyslog.d/

#

$IncludeConfig /etc/rsyslog.d/*.conf



authpriv.*                            /var/log/secgw-siglogs;RSYSLOG_FileFormat



$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"

:source, !isequal, "localhost" -?RemoteStore

:source, isequal, "last" ~$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"

:source, !isequal, "localhost" -?RemoteStore

:source, isequal, "last" ~

Now i have to send some user specific logs not all kernel logs,auth logs which are present in /var/log location,Is there any configuration need to be modified ?

edited Nov 21 '18 at 4:51

asked Nov 19 '18 at 13:48

rohit

146

 # rsyslog configuration file



# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html



#### MODULES ####



# The imjournal module bellow is now used as a message source instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

#$ModLoad imklog # reads kernel messages (the same are read from journald)

#$ModLoad immark  # provides --MARK-- message capability



# Provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514



# Provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514





#### GLOBAL DIRECTIVES ####



# Where to place auxiliary files

$WorkDirectory /var/lib/rsyslog



# Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# File syncing capability is disabled by default. This feature is usually not required,

# not useful and an extreme performance hit

#$ActionFileEnableSync on



# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf



# Turn off message reception via local log socket;

# local messages are retrieved through imjournal now.

$OmitLocalLogging on



# File to store the position in the journal

$IMJournalStateFile imjournal.state





#### RULES ####



# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.*                                                 /dev/console



# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                /var/log/messages



# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure



# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog





# Log cron stuff

cron.*                                                  /var/log/cron



# Everybody gets emergency messages

*.emerg                                                 :omusrmsg:*



# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          /var/log/spooler



# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log









*.* @@192.168.122.50:514

My remote server config:

      /etc/rsyslog.conf Configuration file for rsyslog.

#

#           For more information see

#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

#

#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf





#################

#### MODULES ####

#################



$ModLoad imuxsock # provides support for local system logging

$ModLoad imklog   # provides kernel logging support

$ModLoad imtcp

$InputTCPServerRun 514

$AllowedSender TCP, 192.168.0.0/8

#$ModLoad immark  # provides --MARK-- message capability

$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

$template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"



authpriv.* ?TmplAuth

*.info;mail.none;authpriv.none;cron.none ?TmplMsg



# provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514



# provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514



# Enable non-kernel facility klog messages

$KLogPermitNonKernelFacility on



###########################

#### GLOBAL DIRECTIVES ####

###########################



#

# Use traditional timestamp format.

# To enable high precision timestamps, comment out the following line.

#

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat



# Filter duplicated messages

$RepeatedMsgReduction on



#

# Set the default permissions for all log files.

#

$FileOwner syslog

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

$PrivDropToUser syslog

$PrivDropToGroup syslog



#

# Include all config files in /etc/rsyslog.d/

#

$IncludeConfig /etc/rsyslog.d/*.conf



authpriv.*                            /var/log/secgw-siglogs;RSYSLOG_FileFormat



$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"

:source, !isequal, "localhost" -?RemoteStore

:source, isequal, "last" ~$template RemoteStore, "/var/log/remote/%HOSTNAME%/%timegenerated:1:10:date-rfc3339%"

:source, !isequal, "localhost" -?RemoteStore

:source, isequal, "last" ~

Now i have to send some user specific logs not all kernel logs,auth logs which are present in /var/log location,Is there any configuration need to be modified ?

linux syslog rsyslog

edited Nov 21 '18 at 4:51

asked Nov 19 '18 at 13:48

rohit

146

edited Nov 21 '18 at 4:51

asked Nov 19 '18 at 13:48

rohit

146

edited Nov 21 '18 at 4:51

asked Nov 19 '18 at 13:48

rohit

146

asked Nov 19 '18 at 13:48

rohit

146

asked Nov 19 '18 at 13:48

rohit

146

add a comment |

0

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53376030%2fsending-user-specific-logs-from-one-host-to-other-using-rsyslog%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Some of your past answers have not been well-received, and you're in danger of being blocked from answering.

Please pay close attention to the following guidance:

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

Search This Blog

Ufyukyu