Gwynn asked:
I’m trying to configure a remote log host for my servers (all CentOS 8). I added this on my central server
if $fromhost-ip == '123.123.123.123' then /var/log/{{hostname}}.log
Also I changed my client config to
*.* @@321.321.321.321:514/var/log/{{hostname}}.log
But when I try to run:
sudo logger "test"
It both logs on /var/log/hostname.log and /var/log/messages on my central remote server
It also floods the custom log file with
pam_unix(sudo:session): session opened for user root by admin(uid=0)
log message here
pam_unix(sudo:session): session closed for user root
How do I set my logs only to send to my custom log file? And how do I filter these pam messages to be not included?
Thank you
My answer:
Logging to multiple locations is perfectly allowed, so if you did not change the default configuration which logs most things to /var/log/messages
, then they will continue to be logged there.
The config file /etc/rsyslog.conf
contains, among other things:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
You might add a property-based filter to discard messages after you have logged them once, based on various properties of the message. For example: After logging it once, the property-based filter will discard the message, preventing later configurations from logging it (the tilde means to discard the message and not process it further):
if $fromhost-ip == '123.123.123.123' then /var/log/{{hostname}}.log
:fromhost-ip, isequal, '123.123.123.123' ~
You’re getting pam messages, because you used sudo
, not because you ran logger
. You will get those every time you run sudo
. If you do not want to see them in the log, do not run sudo
. It isn’t necessary to use sudo
to run logger
anyway.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.