Community Forum

Resolved
0 votes
I am able to manually add an external Syslog source to ClearOS v7 using the following process:

1) Edit /etc/rsyslog.conf:
vi /etc/rsyslog.conf


In the "###MODULES###" section, enable UDP and TCP syslog reception by uncommenting the lines as follows:
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


2) Create a RULES file in the /etc/rsyslog.d to capture results and write them to a file. In this example, I am capturing the logs for a Wireless Access Point at 192.168.1.99:
vi /etc/rsyslog.d/DLinkRouter.conf


File Contents:
if $fromhost-ip == '192.168.1.99' then /var/log/DLinkRouter.log


3) Create a logrotate configuration to keep the file from getting too big:
vi /etc/logrotate.d/DLinkRouter


File Contents:
/var/log/DLinkRouter.log
{
missingok
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}


4) Restart rsyslog service:
service rsyslog restart


Using these steps, I was able to see logs flow into the log file in real time using tail:
tail -n50 -f /var/log/DLinkRouter.log


I can also see the file listed in the ClearOS Log Viewer's list of available files.

I'd like to request that this process be automated and wrapped in a GUI on the website. The GUI would accept a source IP address or source name (at minimum) and would create a rotated log file for each source. It would be even cooler if it were possible to add more advanced rsyslog filters in addition.

NOTE: Updated based on feedback from Tony Ellis to work with both v6 and v7.
Tuesday, August 08 2017, 08:58 PM
Share this post:
Responses (2)
  • Accepted Answer

    Tuesday, August 15 2017, 02:08 PM - #Permalink
    Resolved
    0 votes
    Thank you Tony Ellis! I've updated my original post to include the corrections you provided.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 09 2017, 02:29 AM - #Permalink
    Resolved
    0 votes
    Useful info there Vince...

    A couple of nits for ClearOS 7.x, but crucial for ClearOS 6.x...

    1) Quoting from the rsyslog doc at http://www.rsyslog.com/doc/master/configuration/filters.html (page down to the Expression-Based Filters section)

    Expression based filters are indicated by the keyword “if” in column 1 of a new line. They have this format:

    if expr then action-part-of-selector-line

    “if” and “then” are fixed keywords that must

    Should be "if" - i.e. all lower case - NOT "If" with an Uppercase "I" as you provided. "If" works on ClearOS 7.x - but errors on ClearOS 6.x - Best to follow the doc exactly so it works on both platforms...

    2) The ip address should be in single quotes as in the examples (just below the section quoted above. Double quotes works in ClearOS 7.x, but again on ClearOS 6.x will give this error...

    the last error occured in /etc/rsyslog.d/TPLinkADSL.conf, line 1:"if $fromhost-ip == "192.168.4.1" then /var/log/TPLinkADSL.log"


    Tony http://www.sraellis.tk
    Like
    1
    The reply is currently minimized Show
Your Reply