Serwer logów (rsyslog)

Olivia · Post autor: **Olivia** » 02 marca 2013, 15:59

Cześć.

Od paru dni usiłuje stworzyć serwerów logów z wykorzystaniem rsyslog.

Serwer oraz klienci oparci są na Debianie w wersji stabilnej.

Logi lokalne z serwera chcę zapisywać standardowo do katalogu /var/log.
Natomiast logi pochodzące z komputerów klientów mają znajdować się w /mnt/LOGS/HOSTNAME/*

Z podstawową konfiguracją sobie poradziłam. Jednakże potrzebuje pomocy z regułami. Aktualnie wszystkie logi ze stacji pojawiają się też w /var/log a logi lokalne w /mnt/LOGS.

Mój plik konfiguracyjny /ets/rsyslog.conf:

Kod: Zaznacz cały

  5 #################
  6 #### MODULES ###
  7 #################
  8 
  9 # provides support for local system logging
 10 $ModLoad imuxsock
 11 
 12 # provides kernel logging support (previously done by rklogd)
 13 $ModLoad imklog
 14 
 15 # provides UDP syslog reception. For TCP, load imtcp.
 16 $ModLoad imudp
 17 
 18 # For TCP, InputServerRun 514
 19 $UDPServerRun 514
 22 ###########################
 23 #### GLOBAL DIRECTIVES ####
 24 ###########################
 25 
 26 #
 27 # Use traditional timestamp format.
 28 # To enable high precision timestamps, comment out the following line.
 29 #
 30 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 31 $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
 32 #
 33 # Set the default permissions for all log files.
 34 #
 35 $FileOwner root
 36 $FileGroup adm
 37 $FileCreateMode 0640
 38 $DirCreateMode 0755
 39 $Umask 0022
 40 
 41 #
 42 # Include all config files in /etc/rsyslog.d/
 43 #
 44 $IncludeConfig /etc/rsyslog.d/*.conf
 45 
 46 # Do not show "repeated last line n times" logs
 47 $RepeatedMsgReduction off
 48 
 49 ###############
 50 #### RULES ####
 51 ###############
 52 
 53 #### LOCAL ####
 54 
 55 # Local Logging
 56 #$RuleSet local
 57 #kern.*                                                  /var/log/messages
 58 #                              *.info;mail.none;authpriv.none;cron.none                /var/log/messages
 59 #                              authpriv.*                                              /var/log/secure
 60 #                              mail.*                                                  -/var/log/maillog
 61 #                              cron.*                                                  /var/log/cron
 62 #                              *.emerg                                                 *
 63 #                              uucp,news.crit                                          /var/log/spooler
 64 #                              local7.*                                                /var/log/boot.log
 65 # use the local RuleSet as default if not specified otherwise
 66 
 67 
 68 #$DefaultRuleset local
 69 
 70 #
 71 # First some standard log files.  Log by facility.
 72 #
 73 auth,authpriv.*            /var/log/auth.log
 74                               *.*;auth,authpriv.none,local0         -/var/log/syslog
 75 #cron.*                /var/log/cron.log
 76 daemon.*            -/var/log/daemon.log
 77 kern.*                -/var/log/kern.log
 78 lpr.*                -/var/log/lpr.log
 79 mail.*                -/var/log/mail.log
 80 user.*                -/var/log/user.log
 81 
 82 #
 83 # Logging for the mail system.  Split it up so that
 84 # it is easy to write scripts to parse these files.
 85 #
 86 mail.info            -/var/log/mail.info
 87 mail.warn            -/var/log/mail.warn
 88 mail.err            /var/log/mail.err
 89 
 90 #
 91 # Logging for INN news system.
 92 #
 93 news.crit            /var/log/news/news.crit
 94 news.err            /var/log/news/news.err
 95 news.notice            -/var/log/news/news.notice
 96 
 97 #
 98 # Some "catch-all" log files.
 99 #
100                               *.=debug;\
101                               auth,authpriv.none;\
102                               news.none;mail.none    -/var/log/debug
103                               *.=info;*.=notice;*.=warn;\
104                               auth,authpriv.none;\
105                               cron,daemon.none;\
106                               mail        -/var/log/messages
107 
108 #
109 # Emergencies are sent to everybody logged in.
110 #
111                               *.emerg                *
112 
113 #
114 # I like to have messages displayed on the console, but only on a virtual
115 # console I usually leave idle.
116 #
117 #daemon,mail.*;\
118 #    news.=crit;news.=err;news.=notice;\
119 #    *.=debug;*.=info;\
120 #    *.=notice;*.=warn    /dev/tty8
121 
122 # The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
123 # you must invoke `xconsole' with the `-file' option:
124 # 
125 #    $ xconsole -file /dev/xconsole [...]
126 #
127 # NOTE: adjust the list below, or you'll go crazy if you have a reasonably
128 #      busy site..
129 #
130 daemon.*;mail.*;\
131     news.err;\
132     *.=debug;*.=info;\
133     *.=notice;*.=warn    |/dev/xconsole
134 
135 #####################################################
136 # Log everything to a per host daily logfile        #
137     $template DailyPerHostLogs,"/mnt/LOGS/syslog/%HOSTNAME%.%$YEAR%-%$MONTH%-%$DAY%.log"
138     *.* -?DailyPerHostLogs;TraditionalFormat
rsyslog.conf  [FORMAT=unix] [TYPE=CONF] [ASCII=032

Będę wdzięczna za wszelkie wskazówki.

EDIT:
Dzięki fragmentowi:

Kod: Zaznacz cały

 71 # Log remote hosts to separate log file
 72 $template PerHostLog,"/mnt/LOGS/syslog/%HOSTNAME%/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log"
 73 $template RemoteHostFileFormat,"%TIMESTAMP% %HOSTNAME% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%\n"
 74 :inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
 75 & ~

Tworzone są w katalogu /mnt/LOGS/(...) logi klientów. Ale te same wiadomości idą do /var/log serwera. Da się to odfiltrować?