rsyslog server - Can you split up and organize logs?

Question

I recently setup one of our servers as an rsyslog server. I now have our firewall setup to log everything to that rsyslog server.

But there doesn't seem to be an organization of the logs. All the firewall logs are just being dumped into the /var/log/messages on the rsyslog server. I guess I was maybe expecting them to at least be in a machine specific log file or directory.

How can I organize the incoming logging? If I setup 20 servers to all log everything to a central rsyslog server, I really don't want everything being dumped into one big file or a few files. How can I setup rsyslog to tell it where to log what? Like if all the logs for a specific server were in it's own directory/file, etc... Is this possible?

Answer 1

Rsyslog has a pretty good configuration system which allows you to create logs in many different ways. Check the online docs.

Specifically you may want to check out the configuration samples. This recipe may be close to what you want.

https://web.archive.org/web/20180328151406/http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory

---

Sysklogd drop-in with remote logs separated by dynamic directory

This configuration will use expression-based filters mirror an existing sysklogd configuration and will additionally listen over the network and separate logs from remote hosts by using dynamically-created directories, while maintaining the same default sysklogd-style facility and priority filters in the remote directories.

Tested with 3.15.0-development.

Some users report that $source resolves to the system name, not localhost, so $source == 'localhost' always failed. One option is to change the test to if $fromhost-ip == '127.0.0.1' ... (and !=).

$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate      RSYSLOG_TraditionalFileFormat

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none                /var/log/messages
if \
        $source == 'localhost' \
        and \
               $syslogseverity <= '6' \
        and ( \
                        $syslogfacility-text != 'mail' \
                and \
                        $syslogfacility-text != 'authpriv' \
                and \
                        $syslogfacility-text != 'cron' \
        ) \
then    /var/log/messages

# The authpriv file has restricted access.
#authpriv.*                                              /var/log/secure
if \
        $source == 'localhost' \
                and \
        $syslogfacility-text == 'authpriv' \
then    /var/log/secure

# Log all the mail messages in one place.
#mail.*                                                  -/var/log/maillog
if \
        $source == 'localhost' \
                and \
        $syslogfacility-text == 'mail' \
then    -/var/log/maillog

# Log cron stuff
#cron.*                                                  /var/log/cron
if \
        $source == 'localhost' \
                and \
        $syslogfacility-text == 'cron' \
then    /var/log/cron

# Everybody gets emergency messages
#*.emerg                                                 *
if \
        $source == 'localhost' \
                and \
        $syslogseverity-text == 'emerg' \
then    *

# Save news errors of level crit and higher in a special file.
#uucp,news.crit                                          /var/log/spooler
if \
        $source == 'localhost' \
                and \
        (\
                $syslogfacility-text == 'uucp' \
                        or \
                $syslogfacility-text == 'news' \
        )\
                and \
        $syslogseverity-text == 'crit' \
then    /var/log/spooler

# Save boot messages also to boot.log
#local7.*                                                /var/log/boot.log
if \
        $source == 'localhost' \
                and \
        $syslogfacility-text == 'local7' \
then    /var/log/boot.log

# Remote logging
$ModLoad imudp
$UDPServerAddress 0.0.0.0
$UDPServerRun 514

$template DYNmessages,"/var/log/%HOSTNAME%/messages"
$template DYNsecure,"/var/log/%HOSTNAME%/secure"
$template DYNmaillog,"/var/log/%HOSTNAME%/maillog"
$template DYNcron,"/var/log/%HOSTNAME%/cron"
$template DYNspooler,"/var/log/%HOSTNAME%/spooler"
$template DYNboot,"/var/log/%HOSTNAME%/boot.log"

if \
        $source != 'localhost' \
        and \
             $syslogseverity <= '6' \
        and ( \
                        $syslogfacility-text != 'mail' \
                and \
                        $syslogfacility-text != 'authpriv' \
                and \
                        $syslogfacility-text != 'cron' \
        ) \
then    ?DYNmessages

if \
        $source != 'localhost' \
                and \
        $syslogfacility-text == 'authpriv' \
then    ?DYNsecure

if \
        $source != 'localhost' \
                and \
        $syslogfacility-text == 'mail' \
then    -?DYNmaillog

if \
        $source != 'localhost' \
                and \
        $syslogfacility-text == 'cron' \
then    ?DYNcron

if \
        $source != 'localhost' \
                and \
        (\
                $syslogfacility-text == 'uucp' \
                        or \
                $syslogfacility-text == 'news' \
        )\
                and \
        $syslogseverity-text == 'crit' \
then    ?DYNspooler

if \
        $source != 'localhost' \
                and \
        $syslogfacility-text == 'local7' \
then    ?DYNboot