I'm working with RHEL 10 and trying to set up rsyslog to forward specific log files to a central server. The files I'm focusing on are /var/log/messages, /var/log/sssd.log, /var/log/secure, and /var/log/cron. However, it seems like I'm getting a lot of unwanted logs instead of the ones I specified. For instance, I'm seeing logs like '(atd).log' and 'kernel.log' that I don't want. Additionally, I'm getting some errors, such as messages being dropped due to rate-limiting on the recipient side, and warnings about deprecated configurations on the forwarder side. Does anyone have suggestions on how to fix this?
1 Answer
It sounds like the issue might be with how your receiving side is set up. Since you're using a dynamic file template that includes program names, it’s likely parsing each incoming log according to its originating program, which explains the extra logs you're seeing. Try checking for specific log lines in your /var/log/sssd.log and grep through your recipient log path for those parsed names. You might find your intended logs hidden in those extra files!
Got it! Just one quick question: do you forward /var/log/messages from all your servers? I think it could be useful, but I'm worried about logrotate handling it so the logs don't fill up my servers.