The best place to *find* answers to programming/development questions, imo, however it's the *worst* place to *ask* questions (if your first question/comment doesn't get any up-rating/response, then u can't ask anymore questions--ridiculously unrealistic), but again, a great reference for *finding* answers.

My Music (Nickleus)

20120920

how to setup a syslog (rsyslog) server on an ubuntu machine to log d-link DIR-655 router logs

SETTING UP SYSLOG FOR ROUTER LOGS ON AN EXTERNAL SERVER

enable sending router syslogs to myserver (Tools > Syslog):
http://192.168.0.1/Tools/SysLog.shtml

put a checkmark next to Enable Logging To Syslog Server

Syslog Server IP Address is currently myserver: 192.168.0.19

// on the syslog server

install rsyslog:
sudo apt-get install rsyslog

edit the main rsyslog config file:
sudo nano -w /etc/rsyslog.conf
make sure the following lines are uncommented:
$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514


in order to get dynamic log file naming to work, make sure these lines are commented out:
#$PrivDropToUser syslog
#$PrivDropToGroup syslog


before i figured out that last tip, dynamic file names using template was not working. if those 2 lines aren't commented out, then there becomes a permissions issue, and use of template won't work (see below)

edit the default rsyslog config file:
sudo nano -w /etc/rsyslog.d/50-default.conf

add the following lines at the very top:
$template DynFile,"/var/log/myrouter/%$year%%$month%%$day%.log"
:fromhost-ip, isequal, "192.168.0.1" ?DynFile
:fromhost-ip, isequal, "192.168.0.1" ~


192.168.0.1 is the router ip address

the bottom line means log nothing (~) after this line for any messages from host ip 192.168.0.1 (i.e. the logging rules specified after this line only apply to messages from the localhost)

then restart the rsyslog service:
sudo service rsyslog restart

you will shortly begin to see router log files appearing here:
/var/log/myrouter/

with filenames in the following format:
yyyymmdd.log

e.g.:
/var/log/myrouter/20120920.log

8 comments:

  1. If you do:
    sudo chown syslog:adm /var/log/myrouter/
    (replace syslog:adm with what's appropriate for your system)
    dynamig file naming in rsyslogd seems to work without having to run as root.

    ReplyDelete
  2. Great instructions, thank you!

    ReplyDelete
  3. Hi

    What if I want logs from more than one device?

    ReplyDelete
    Replies
    1. Just need to add
      $template DynFile,"/var/log/myrouter/%$year%%$month%%$day%.log"
      :fromhost-ip, isequal, "192.168.0.1" ?DynFile
      :fromhost-ip, isequal, "192.168.0.1" ~

      For different server configure the different ip address

      Delete
    2. For More than one device use the config below

      $template DynFile,"/var/log/rsyslog/%HOSTNAME%/%$year%%$month%%$day%.log"

      if $fromhost-ip startswith 'x.x.x.x' then ?DynFile

      & ~

      if $fromhost-ip startswith 'x.x.x.x' then ?DynFile

      Delete
  4. It is really working............but need to give the command said MiaM 30 January 2013 17:51

    sudo chown syslog:adm /var/log/myrouter/

    ReplyDelete
  5. Kenneth, I think you can use this format to log multiple devices. I'm testing now...

    $template AnotherDynFile,"/var/log/myrouter/%$year%%$month%%$day%.log"
    :fromhost-ip, isequal, "192.168.1.1" ?AnotherDynFile
    :fromhost-ip, isequal, "192.168.1.1" ~

    ReplyDelete
  6. Excellent, thank you. The documentation for rsyslog is appalling.

    ReplyDelete