From 0aa0fe222efe2de40ad6e2dbcfeda0dde1f78e16 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 7 May 2009 09:32:32 +0200 Subject: [PATCH] rsyslog: Use %fromhost% instead of %hostname%. Using hostname did not always work, since that use the hostname specified in the message itself (In particular some kernel messages without a hostname were seen). using %fromhost% always uses the hostname of the host the message was received from. This might break in NAT and forwarding situations, but those do not apply here. --- etc/logcheck/ignore.d.server/000-local-vuurmuur | 1 + etc/rsyslog.conf | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 etc/logcheck/ignore.d.server/000-local-vuurmuur diff --git a/etc/logcheck/ignore.d.server/000-local-vuurmuur b/etc/logcheck/ignore.d.server/000-local-vuurmuur new file mode 100644 index 0000000..c8e2b61 --- /dev/null +++ b/etc/logcheck/ignore.d.server/000-local-vuurmuur @@ -0,0 +1 @@ +vrmr: DROP.* diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index b1f88e2..df51b37 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -54,9 +54,9 @@ $IncludeConfig /etc/rsyslog.d/*.conf ######################## # Log lines received from other servers (as well as our own logs) centrally. -$template FacilityLog,"/data/log/rsyslog/%hostname%/facilities/%syslogfacility-text%.log" -$template SeverityLog,"/data/log/rsyslog/%hostname%/severities/%syslogseverity-text%.log" -$template AppLog,"/data/log/rsyslog/%hostname%/apps/%app-name%.log" +$template FacilityLog,"/data/log/rsyslog/%fromhost%/facilities/%syslogfacility-text%.log" +$template SeverityLog,"/data/log/rsyslog/%fromhost%/severities/%syslogseverity-text%.log" +$template AppLog,"/data/log/rsyslog/%fromhost%/apps/%app-name%.log" # Use a verbose logging format $template LogFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %syslogfacility-text%.%syslogseverity-text%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" -- 2.30.2