Tom Horsley wrote:
> I've got an old PC running Truenas as a local server for backups,
> videos, etc.
>
> I've got another PC I consider my "main" system running rsyslog.
> On this PC I have tried (mostly successfully) to direct remote
> syslog messages from the Truenas system to logfiles in a subdirectory
> on my main system. This gibberish in my main system's rsyslog.conf
> seems to do the trick:
>
> # Log incoming message from remote systems here
> $template DynamicFile,"/var/log/loghost/%HOSTNAME%/%syslogfacility-text%.log"
> :hostname, contains, "nast"
> *.* -?DynamicFile
>
> Most remote log message do indeed get redirected to the subdirectory
> as expected, but SMART messages like these still wind up in
> /var/log/messages on my main system rather than in the subdirectory.
>
> Example:
>
> Nov 16 16:16:51 nast 1 2023-11-16T16:16:51.564170-05:00 nast.my.lan smartd 1501 - - Device: /dev/ada0, SMART Usage Attribute: 194 Temperature_Celsius changed from 58 to 57
>
> Most other messages wind up down in the subdirectory as expected, like this:
>
> Nov 16 19:15:00 nast 1 2023-11-16T19:15:00.012359-05:00 nast.my.lan /usr/sbin/cron 16239 - - (root) CMD (/usr/libexec/atrun)
>
> Anyone understand remote logging enough to provide any hints why this
> is happening? It is clearly not all that critical, but it confuses me.
You probably need a stop action in your config to cease
further processing of messages which come from the remote
system.
I'd probably do this in the newer "advanced" format (AKA
RainerScript) instead of the "obsolete legacy" format. I
believe this would do what you want:
# Log incoming message from remote systems here
template (name="DynamicFile" type="string"
string="/var/log/loghost/%HOSTNAME%/%syslogfacility-text%.log")
if ($hostname != $myhostname) then {
action(type="omfile" dynaFile="DynamicFile")
stop
}
With the legacy format, I _think_ adding '& stop' after the
'*.* -?DynamicFile' line would work, but that format is
harder to read and far less clear so it's worth avoiding
when you need anything other than dirt-simple rules.
The comment and the condition don't really match in the
original. The rule doesn't handle _any_ remote system, only
those whose hostname matches the string "nast" would be
handled. If that's the only remote host you have sending
logs, then for all intents and purposes, it's the same
thing. But it should work to use the "!=" condition just as
well (I say without having tested -- what could go wrong?).
To keep the conditional as you have it (tightened up
slightly, since your host appears to match 'nast' exactly so
an equals is better than contains):
if ($hostname == "nast") { ... }
Hopefully this helps more than it hurts. ;)
--
Todd
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
