3

I'm following this tutorial: Using Fail2ban To Block Wrong ISPConfig Logins, but rsyslog won't redirect the output from a file to another:

/etc/rsyslog.d/12-ispconfig.conf:

if $programname == 'ispconfig' then /var/log/ispconfig.log #the file exists

Despite this line, I keep getting the output to syslog:

ispconfig[1117]: Login failed for user asdasd on IP XX.XX.XXX.XX

-rw-r--r--  1 syslog adm        0 Sep 12 16:13 ispconfig.log

Any ideas how to fix this?

w0rldart
  • 2,943
  • 3
  • 20
  • 25
  • This may be stupid questions, but do you have `$IncludeConfig /etc/rsyslog.d/*.conf` in `/etc/rsyslog.conf`, and did you restart rsyslog after creating `/etc/rsyslog.d/12-ispconfig.conf`? – Ansgar Wiechers Sep 15 '12 at 09:59
  • @AnsgarWiechers I didn't had the `$IncludeCo....` so I added it at the end of the config file and `invoke-rc.d sysklogd restart` but still no effect – w0rldart Sep 15 '12 at 10:31
  • Just to be sure, try `/etc/init.d/sysklogd stop && /etc/init.d/sysklogd start` instead. Check `/var/log/syslog` for errors or warnings upon `syslogd` startup. – Ansgar Wiechers Sep 15 '12 at 10:59
  • On my ubuntu server its `sysklogd`, and I get no error upon any restart – w0rldart Sep 15 '12 at 11:29

2 Answers2

3

@w0rldart in your question you write

but rsyslog won't redirect the

in another post you write

ubuntu server its sysklogd

what is true then?

for rsyslogd is goes like this 

/etc/rsyslog.d/log-all.conf:
:programname, isequal, "ispconfig" /var/log/ispconfig.log
# optionally you can clear this from the original to avoid the line being logged twice
:programname, isequal, "ispconfig" ~

restart rsyslogd

/etc/init.d/rsyslog restart
toh
  • 437
  • 4
  • 5
1

Couldn't get @toh's answer to work on Ubuntu 13 - turns out the file has to be called something like 25-ispconfig.conf. It processed log-all.conf, or at least showed errors when I deliberately wrote rubbish in it. It started logging to the new file, but it wouldn't stop logging to syslog as well.

Had to do this in 25-dnsmasq.conf:

:programname, contains, "dnsmasq" /var/log/dnsmasq.log
& ~

Couldn't make a comment without having 50 rep, so I'm posting an answer.

Just got to work out how to rotate the files now so I don't get huge monster log files growing in my /var/log

Adam
  • 188
  • 1
  • 10
  • The files in /etc/rsyslog.d get executed in collating order, so you need a prefix to get it to execute before other files that may need the log set first, and after files that may set logging differently for a broader class. – Jeff Learman Jul 17 '20 at 12:39