Syslogd to process logs for multiple hosts

[tuaris]

The documentation says /etc/syslog.conf can allow for multiple hostname entries per line seperated by a comma, or I can drop a .conf in /etc/syslog.d/.

I can see the benifit of the above approach, but I want to allow an entire subnet the ability to use a centralized syslog server. Based on what I've read, this is only possible if I add a configuration option for each host in the subnet. ie:

+192.168.1.1
*.*                        /var/log/subnet.log
+192.168.1.2
*.*                        /var/log/subnet.log
+192.168.1.3
*.*                        /var/log/subnet.log

Is there a way I can wildcard the host name? Do something like this?

+192.168.1.0/24
*.*                        /var/log/subnet.log

Or even better this:

+.domain.com
*.*                        /var/log/subnet.log

 

[SirDice]

Is there a way I can wildcard the host name?

No. If it was possible it would have been mentioned in the man page. It's not mentioned, at all, so the safe conclusion is that it's not possible.

If you want to do some fancy filtering based on hostnames (or IP addresses) sysutils/syslog-ng is probably a better choice.

 

[ShelLuser]

Is there a way I can wildcard the host name? Do something like this?

No, because what is happening here is that syslogd doesn't treat these as IP addresses but actual names. As such the wildcard would have no meaning.

But based on your example I also don't understand why you'd need this?

Instead of trying to include dozens of hosts to log onto one file, do the opposite instead: exclude your current host and then only your remote hosts are left to log to the logfile.

#-mylocalhost
*.*       /var/log/subnet.log
#*
<from here your local host is back included>

Something like that might also do the trick.

(edit) This is of course assuming that I picked up your example in the right way and that you wanted to use 1 logfile for all your remote hosts. If you want more separation per host then this would become a problem.