The Ask
Syslog does not support remote logging with individual logs on per host basis. How can remote logging with individual logs on a per-host basis be configured with rsyslog?
How can remote logging be enabled with separate logs for each remote host (system-hostname.log) with date (system-hostname-date.log)?
The Answer
Follow the steps outlined below to install and configure the rsyslog server to log individual logs on a per-host basis. There are various ways that are described below to organize the log files for each host. You may use any one or combine more than one ways as per your requirement.
If rsyslog is not installed then install it using the following:
# yum install rsyslog
For RHEL 6
Separate log file for each host
To configure rsyslog to generate a separate log file for each host, specify the below in /etc/rsyslog.conf:
# vi /etc/rsyslog.conf $template DynFile,"/var/log/system-%HOSTNAME%.log" *.* -?DynFile & ~
Separate log file for each host along with date of creation (year-month-day)
To configure rsyslog to generate a separate log file for each host along with date of creation (year-month-day), modify the template to as shown below:
# vi /etc/rsyslog.conf $template DynFile,"/var/log/syslog/system-%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%-messages.log" *.* -?DynFile & ~
Prevent rsyslog server itself logging in to a single file
To configure rsyslog to generate a separate log file for each host and prevent rsyslog server itself logging in to a single file, modify the template as shown below:
# vi /etc/rsyslog.conf $template DynFile,"/var/log/syslog/system-%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%-messages.log" :fromhost-ip,!isequal,"127.0.0.1" -?DynFile & ~
generate a separate folder for each host
Configure rsyslog to generate a separate folder for each host :
# vi /etc/rsyslog.conf $template DynFile,"/var/log/syslog/system-%HOSTNAME%/messages.log" *.* -?DynFile & ~
Once you have confirmed the changes to the /etc/rsyslog.conf file, restart rsyslog service.
# service rsyslog restart
For RHEL 7
You can also specify the rules in a separate file /etc/rsyslog.d/from_remote.conf:
# vi /etc/rsyslog.d/from_remote.conf
template(name="DynFile" type="string" string="/var/log/remote/system-%FROMHOST-IP%.log")
ruleset(name="RemoteMachine"){ action(type="omfile" dynaFile="DynFile") }
module(load="imudp")
input(type="imudp" port="514" ruleset="RemoteMachine")
module(load="imtcp")
input(type="imtcp" port="514" ruleset="RemoteMachine")
Restart/reload rsyslog service once you are done with the changes:
# systemctl restart rsyslog