Rsyslog multiple topics in multiple files

webrgm · June 8, 2016, 12:41pm

Hello All,

I wish to log my webproxy logs, dhcp logs, dns logs and hotspot logs into 4 respective files. Currently I log specific topic i need to rsyslog using follwing expression:
:fromhost-ip,isequal,“[MikrotikIP]” /var/log/Mikrotik.log

with above i get topics logged into one Mikrotik.log file.

i want rsyslog to throw logs to:
/var/log/Webproxy.log
/var/log/Dns.log
/var/log/Hotspot.log
/var/log/Dhcp.log

I am no rsyslog expert, any advise on that will be really helpful.

zentavr · July 15, 2018, 9:08am

First of all - tune your Mikrotik to be able to forward the logs to the remote syslog server (check Mikrotik’s firewall as well).

At the syslog side (in my case it was Ubuntu 16.04 with rsyslog 8.x) set up rsyslog to be able to accept the remote events. Add/uncomment at rsyslog.conf:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

Also, add the sorting rules to /etc/rsyslog.d/10-remotes.conf:

# Templates
$template RemoteHost-all,     "/var/log/remote/all-%HOSTNAME%.log"
$template RemoteHost-account, "/var/log/remote/account-%HOSTNAME%.log"
$template RemoteHost-bgp,     "/var/log/remote/bgp-%HOSTNAME%.log"
$template RemoteHost-dns,     "/var/log/remote/dns-%HOSTNAME%.log"
$template RemoteHost-dhcp,    "/var/log/remote/dhcp-%HOSTNAME%.log"
$template RemoteHost-hotspot, "/var/log/remote/hotspot-%HOSTNAME%.log"
$template RemoteHost-ospf,    "/var/log/remote/ospf-%HOSTNAME%.log"
$template RemoteHost-radius,  "/var/log/remote/radius-%HOSTNAME%.log"
$template RemoteHost-script,  "/var/log/remote/script-%HOSTNAME%.log"
$template RemoteHost-system,  "/var/log/remote/system-%HOSTNAME%.log"


if re_match($hostname,'mtik-gw[0-9]+.example.com') or re_match($hostname,'gw[0-9]+.example.net') then {
    if re_match($syslogtag,'account') then {
        *.* ?RemoteHost-account
        & continue
    }
    if re_match($syslogtag,'bgp') then {
        *.* ?RemoteHost-bgp
        & continue
    }
    if re_match($syslogtag,'dns') then {
        *.* ?RemoteHost-dns
        & continue
    }
    if re_match($syslogtag,'dhcp') then {
        *.* ?RemoteHost-dhcp
        & continue
    }
    if re_match($syslogtag,'hotspot') then {
        *.* ?RemoteHost-hotspot
        & continue
    }
    if re_match($syslogtag,'ospf') then {
        *.* ?RemoteHost-ospf
        & continue
    }
    if $syslogtag contains 'radius' then {
        *.* ?RemoteHost-radius
        & continue
    }
    if re_match($syslogtag,'script') then {
        *.* ?RemoteHost-script
        & continue
    }
    if re_match($syslogtag,'system') then {
        *.* ?RemoteHost-system
        & continue
    }

    *.* ?RemoteHost-all
    & stop
}

Do not forget to check at syslog side as well:

Firewall
apparmor/selinux policies for rsyslog
Create /var/log/remote/ in order to be able to catch the logs
Set up logrotate scripts

kuz8 · November 27, 2019, 12:23am

And could anyone please suggest a recipe for how do I have topic name and severity captured in the rsyslog on e.g. centos?

My router-side text log file for errors like this:

Nov/26/2019 17:34:14 pptp,ppp,error <24760>: user Admin authentication failed
Nov/26/2019 17:34:14 pptp,ppp,error <24761>: user Admin authentication failed
Nov/26/2019 17:34:14 pptp,ppp,error <24759>: user Admin authentication failed

CentOS remote logserver’s rsyslog.conf rule (IP is hashed):

:fromhost-ip,isequal,"192.168.x.x" /home/root/log/ccr-e1.log
& ~

MT side (IPs are hashed):

/system logging action add bsd-syslog=yes name=logserver remote=192.168.x.y src-address=192.168.x.x syslog-facility=local0 target=remote
/system logging add action=logserver topics=critical
/system logging add action=logserver topics=error
/system logging add action=logserver topics=info
/system logging add action=logserver topics=warning
/system logging add action=logserver topics=watchdog

and the linux side rsyslog-produced log file is completely missing the topic and severity “pptp,ppp,error” part:

Nov 26 17:34:14 e1 <24760>: user Admin authentication failed
Nov 26 17:34:14 e1 <24761>: user Admin authentication failed
Nov 26 17:34:14 e1 <24759>: user Admin authentication failed

I’ve searched the forum and making it work seems to require some creativity

Further searching points to rsyslog templates and fields “host” for tags and “topic” for the actual logging label.

Maybe I’ll post it as a separate forum topic if no one answers here..

Rackit · September 22, 2020, 5:15pm

@zentavr - very helpful post.

I am trying to emulate your recommendation, however I am confused about the parameters in the “if statement” - see below

what does the ($hostname,‘mtik-gw[0-9]+.example.com’) reference? My host name is Mikrotik but I am not sure what ‘mtik-gw[0-9] + example.com’ refers to? What does the whole if/then statement achieve. I am trying to understand. Thanks.
John

if re_match($hostname,'mtik-gw[0-9]+.example.com') or re_match($hostname,'gw[0-9]+.example.net')

zentavr · December 1, 2023, 6:14pm

zvekyf:

@zentavr - very helpful post.

I am trying to emulate your recommendation, however I am confused about the parameters in the “if statement” - see below

what does the ($hostname,‘mtik-gw[0-9]+.example.com’) reference? My host name is Mikrotik but I am not sure what ‘mtik-gw[0-9] + example.com’ refers to? What does the whole if/then statement achieve. I am trying to understand. Thanks.
John
if re_match($hostname,'mtik-gw[0-9]+.example.com') or re_match($hostname,'gw[0-9]+.example.net')

It was just filtering by the host names