Gwynn asked:
I’m trying to configure a remote log host for my servers (all CentOS 8). I added this on my central server
if $fromhost-ip == '123.123.123.123' then /var/log/{{hostname}}.log
Also I changed my client config to
*.* @@321.321.321.321:514/var/log/{{hostname}}.log
But when I try to run:
sudo logger "test"
It both logs on /var/log/hostname.log and /var/log/messages on my central remote server
It also floods the custom log file with
pam_unix(sudo:session): session opened for user root by admin(uid=0)
log message here
pam_unix(sudo:session): session closed for user root
How do I set my logs only to send to my custom log file? And how do I filter these pam messages to be not included?
Thank you
My answer:
Logging to multiple locations is perfectly allowed, so if you did not change the default configuration which logs most things to /var/log/messages, then they will continue to be logged there.
The config file /etc/rsyslog.conf contains, among other things:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
You might add a property-based filter to discard messages after you have logged them once, based on various properties of the message. For example: After logging it once, the property-based filter will discard the message, preventing later configurations from logging it (the tilde means to discard the message and not process it further):
if $fromhost-ip == '123.123.123.123' then /var/log/{{hostname}}.log
:fromhost-ip, isequal, '123.123.123.123' ~
You’re getting pam messages, because you used sudo, not because you ran logger. You will get those every time you run sudo. If you do not want to see them in the log, do not run sudo. It isn’t necessary to use sudo to run logger anyway.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.