rsyslog, log msgs in a different file

[Karl Auer]

On Sat, 2024-02-17 at 19:21 -0700, R C wrote:
> but the messages from the switch are still ending up in
> "/var/log/syslog"

I'd have expected "*.*  ?NetworkLogs" to work, but not sure about the
asterisk at the end of your template line. I don'tthink that's a valid
template option. 

Maybe run "rsyslogd -f <your_config_file> -N 1"

Or just "rsyslogd -N 1" if you've put your stuff in the main config
file.

Also - once you think everything should work - try restarting rsyslogd.
Can't remember if that's needed these days, but it can't hurt :-)

It may or may not be helpful, but this is how I direct my MikroTik
router log entries into a separate file. The first line is the template
("stick it in this file"). The second line is the rule ("if the
programname field is 'mikrotik', use the RouterLog template"). The
third line stops processing the entry ("all done with that inbound log
entry, thxbye"):

$template RouterLog, "/var/log/mikrotik.log"
:programname, isequal, "mikrotik" -?RouterLog
& stop

Those three lines are in /etc/rsyslog.d/30-mikrotik.conf. The "-"
before the "?" means "disable syncing on this file". I'm pretty sure I
did not need a template and could have just put "/var/log/mikrotik.log"
where "?Routerlog" is, but you do need a template because you are
constructing the logfile names dynamically.

The man page sections on "Property-Based Filters" and "Available
Properties" will explain the rule.

I also had to configure my routers to send these entries with
"mikrotik" in them, but that is a different problem.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer