we can do lot of things with rsyslog. But its quite difficult to find the right options to achieve our goals. Templates in rsyslog are little bit confusing. Hereby I have shared the useful commands and tips which I have used so far.
Option 1
If you want to log messages contains specific string(IP, MAC etc), you can use the below option
Option2
Before I go to option2 , I want to explain few concepts for better understanding
In syslog, we configure sending logs using
So, if I want to send kernel critical logs, I'll use
The combination of facility and severity is known as the priority, for example...
The facilities
Suppose you have a configuration in syslog to log all the dameons using local0 facility
local0.* /var/log/messages.log
If you want to skip the specific daemon(snort) logs from messages.log and want to log in a specific file then we need to use option 2.
:msg, contains, "snort" -/var/log/messages
The configuration uses a property-based filter to see if the string
"snort is contained" inside the MSG part of the syslog message. If so,
the message is written to /var/log/messages. The next line then
discards all messages that have been written.
Option 1
If you want to log messages contains specific string(IP, MAC etc), you can use the below option
:msg, contains, "172.71.12.19" /var/log/userip.log
This option logs all the messages with string "172.17.12.19" in userip.log
Option2
Before I go to option2 , I want to explain few concepts for better understanding
In syslog, we configure sending logs using
facility.severity
, where facility
is the name of the (let's call it) "component" of the system, such as kernel, authentication, and so on; and severity
is the "level" of each of the logs logged by a facility, such as info
(informational), crit
(critical) logs.
So, if I want to send kernel critical logs, I'll use
kern.crit
.The combination of facility and severity is known as the priority, for example...
- priority = kern.crit
- facility = kern
- severity = crit
The facilities
local0
to local7
are "custom"
unused facilities that syslog provides for the user. If a developer
create an application and wants to make it log to syslog, or if you want
to redirect the output of anything to syslog (for example, Apache
logs), you can choose to send it to any of the local#
facilities. Then, you can use /etc/syslog.conf
(or /etc/rsyslog.conf
) to save the logs being sent to that local#
to a file, or to send it to a remote server.Suppose you have a configuration in syslog to log all the dameons using local0 facility
local0.* /var/log/messages.log
If you want to skip the specific daemon(snort) logs from messages.log and want to log in a specific file then we need to use option 2.
:msg, contains, "snort" -/var/log/messages
& ~
Symbol "~ " -denotes discards logging