I have 2 VOIP devices on my network (ht502 and ht704) which are both capable of sending their log info as syslog data. Receiver is a little Raspberry on Raspbian.
I wanted to configure syslog to receive messages from both VOIP devices and store them into their respective (different) log files. So far I failed to accomplish that.
I enabled syslog (by uncommenting the below lines in /etc/rsyslog.conf):
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514I created two files in /etc/rsyslog.d/ as follows.
ht704.conf
$template NetworkLog, "/var/log/ht704.log"
:fromhost-ip, isequal, "192.168.11.160" -?NetworkLog
ht502.conf
$template NetworkLog, "/var/log/ht502.log"
:fromhost-ip, isequal, "192.168.11.162" -?NetworkLogNote the respective different IP addresses.
And restarted the serice:
service rsyslog restartIt turns out however that all output lands in the /var/log/ht502.log file.
Example:
Nov 7 19:05:39 HT-502 [00: 0B:82:42:31:62]: [1.0.14.1] NAT::checkNAT: detected NAT environment for account 1
Nov 7 19:05:39 HT-502 [00: 0B:82:42:31:62]: [1.0.14.1] NAT::addPortMapping(STUN), iport = 49260
Nov 7 19:05:39 HT704 [00: 0B:82:65:DD:1C] [1.0.5.10]:System uptime: 1846
Nov 7 19:05:39 HT704 [00: 0B:82:65:DD:1C] [1.0.5.10]:System memory: 13213696/724992/0/794624
Nov 7 19:05:40 HT-502 [00: 0B:82:42:31:62]: [1.0.14.1] SIPClientTransaction::sendRequest: Request 15 is sent
Nov 7 19:05:40 HT-502 [00: 0B:82:42:31:62]: [1.0.14.1] SIPStack(0)::run: Active transactions: 2On top of all I actually just noticed that the messages from the VOIP devices also unexpectedly showed up in /var/log/messages and /var/log/syslog. I don't think they should show up there. Or should they?
Any idea what's missing?
1 Answer
TL;DR :
Your templates are clobbering each other(although they do not seem to be inherited by other .conf files, they are conflicting - your guess is as good as mine).
Rename NetworkLog to a unique name per file.
Add & ~ as the last line in ht704.conf and ht502.conf
Alternative(cleaner):
create a single .conf file in /etc/rsyslog.d/ containing the following:
:fromhost-ip, isequal, "192.168.11.160" /var/log/ht704.log
& ~
:fromhost-ip, isequal, "192.168.11.162" /var/log/ht502.log
& ~with formatters example:
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
:fromhost-ip, isequal, "192.168.11.160" /var/log/ht704.log;RFC3164fmt
:fromhost-ip, isequal, "192.168.11.162" /var/log/ht502.log;RFC3164fmt
& ~
Long Version :
I recently found myself struggling to understand the precedence and syntax of these files and and found this question while googling. I would like to link to the documentation but I found it terribly hard to parse and it seems there is already an incentive to improve it underway here: As a result, most of the advice comes from empirical evidence(things I tried).
TIL:
The FILENAMEs in /etc/rsyslog.d are operated on with alphabetical precedence[collation dependent](i.e. why the default is named 50-default.conf). As an example I was trying to have multiple output files with different formatting based on the same rule/condition ( :fromhost-ip, etc. ); the answer was to have the first file read(alphabetically/collationally) do whatever and exclude the STOP (& ~) while presenting a different output to the second file(alphabetically/collationally) AND **including the STOP (& ~) .
The first file in this example was named 10-ddwrt.conf and the second was named 15-ddwrt.conf.
Hope this helps and please feel free to improve upon it. I specifically did not get into the "new" syntax as it is incompatible with older version of rsyslog.