I want all the network devices in my house to log to a central location, so that log messages can be
- stored permanently (if I switch off an access point, normally all logs are gone), and
- automatically checked for interesting events.
So I needed to set up my internal Ubuntu-based server to receive log messages from these devices via the syslog protocol.
My requirements were:
- Logs from different devices should go into a dedicated file each.
- Logs from the local machine should not go into any of these files, but the standard Ubuntu logging should be continued to be observed.
It took me a while to figure out how the “ultimate” configuration should be, but here’s the result in case anybody else has similar requirements:
# Define a template for the remote log file
template(name="TmplRemote" type="list") {
constant(value="/var/log/remote/")
property(name="hostname" SecurePath="replace")
constant(value=".log")
}
# provides UDP syslog reception
module(load="imudp")
# provides TCP syslog reception
module(load="imtcp")
ruleset(name="remote"){
# Filter messages from remote hosts and write to the dedicated file
if ($fromhost-ip != '127.0.0.1') then {
action(type="omfile" dynafile="TmplRemote")
} else {
# Prevent local messages from being written to the remote log file
stop
}
}
input(type="imudp" port="514" ruleset="remote")
input(type="imtcp" port="514" ruleset="remote")Put the above into a file called /etc/rsyslog.d/99-local.conf, create directory /var/log/remote/, then restart rsyslog as follows:
$ sudo systemctl restart rsyslog.serviceBTW, in case you wonder about the SecurePath property for the remote host name, this is a security measure.
At home with your own trusted equipment this is not really required. But in “hostile” environments with untrusted traffic it could happen that somebody tries an attack by “crafting” a host name that would then be used as path name on your logging server and potentially create files that you didn’t foresee.
Did this help? Then let me know, please.
