How To
Summary
This document explains how to configure centralized log server to store log messages which are forwarded from remote syslog/rsyslog clients, in client specific log files, in attempt to override the default behavior of accumulating log messages from different sources in one single log file.
Objective
Set up AIX rsyslog server to store the remote logs in local log files, one file per client.
Steps
2. Install and switch to rsyslog as described here.
3. Append the following configuration to the /etc/rsyslog.conf file:
if $msg contains "hostA" then {
action (type="omfile" file="/var/log/hostA.log")
stop
}
The 'if' statement above monitors for log messages containing the string 'hostA' and then performs the given action on it.
In order to understand the if statement in rsyslog context, we first need to know how rsyslog configuration file is designed.
The rsyslog.conf file is built up with 'modules', which can be loaded on demand according to the configuration design. Mainly, there are three types of modules which define the rsyslog work flow: (input, parser and output modules).
The following diagram diagram found on the official website of the rsyslog project, explains the rsyslog workflow:
The rsyslog.conf file can also be divided into multiple scopes (aka rulesets). Each ruleset consists of a set of modules. If no rulesets are defined, a single ruleset is assumed across the whole configuration file.
For simplicity, this document assumes one scope across the rsyslog.conf file. In that case, no need to define a ruleset. Only need to configure the modules intended for the task. The needed modules are:
a. Input modules:
- imudp: Used to tell rsyslogd to accept UDP traffic.
- imtcp: To tell rsyslogd to accept TCP traffic.
Example:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 5514
Alternatively, both modules can be enabled as follows:
input(type="imudp" port="514")
input(type="imtcp" port="5514")
b. Parser modules:
Usually used for log message normalization when the incoming log message is not properly formatted. The use case covered by this document doesn't need a parser module.
c. Output modules:
- omfile: Used to redirect the incoming log message to a file.
Example:
$ModLoad omfile
facility.severity :omfile:/path/to/logfile
Alternatively:
$ModLoad omfile
facility.severity {action (type="omfile" file="/path/to/logfile")}
4. For log rotation, the conditional statement above can be modified as follows:
if $msg contains "hostA" then {
action (type="omfile" file="/var/log/hostA.log")
$outchannel log_rotation,/var/log/hostA.log, 15360,/.hostA_log_rotate
*.* :omfile:/var/log/hostA.log <=== This line recreates the log file after rotation.
stop
}
The $outchannel is a rsyslog.conf directive intended to add more actions to the output module. The syntax is:
$outchannel given_name,file-name,max-size,action-on-max-size
This can be used to implement log rotation when the max-size criteria is met, and the action field is set as an absolute path name for a shell script (in our example it is "/.hostA_log_rotate) which executes the following command:
mv -f /var/log/hostA.log /var/log/hostA.log.0
In other operating systems like Linux, the "logrotate" function can be used instead of that shell script.
Note:
The $outchannel directive is still under development and might be changed in the upcoming rsyslog versions. This procedure works for rsyslog versions up to 8.22.12.0.
With that all said, a complete single-scope rsyslog.conf file would look like this:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 5514
#Local log messages:
mail.debug {action (type="omfile" file="/path/to/logfile1")}
#Forwarded log messages (dedicated log file per client):
if $msg contains "hostA" then {
action (type="omfile" file="/var/log/hostA.log")
$outchannel log_rotation,/var/log/hostA.log, 15360,/.hostA_log_rotate
*.* :omfile:/var/log/hostA.log
stop
}
if $msg contains "hostB" then {
action (type="omfile" file="/var/log/hostB.log")
$outchannel log_rotation,/var/log/hostB.log, 15360,/.hostB_log_rotate
*.* :omfile:/var/log/hostB.log
stop
}
More info:
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxuAAA","label":"Communication Applications-\u003ESYSLOG\/RSYSLOG"}],"ARM Case Number":"TS018287016","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
09 March 2025
UID
ibm17183638