rsyslog config for network devices


In a network environment, Cisco devices can be configured to send their syslog messages to a central syslog server. Ubuntu (10.04 LTS) has rsyslog as default syslog package, and I had some trouble creating a working config due to a nasty bug in rsyslog. Here is a cookbook to go around it :

1. create /etc/rsyslog.d/10-network_syslog.conf

# 10-network_syslog.conf
#
# fix bug, see http://www.gossamer-threads.com/lists/rsyslog/users/2620
# and https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/484336
$PrivDropToGroup adm

# listen on 514/UDP
$ModLoad imudp
$UDPServerRun 514

# templates
$template PerHostLog,"/var/log/network/%HOSTNAME%/%$YEAR%.%$MONTH%.%$DAY%.log"
InputUDPServerBindRuleset remote

# what comes from remote go to per-host log files
$RuleSet remote
*.* ?PerHostLog
& ~

2. restart the daemon:

sudo service rsyslog restart

Note: this is for Ubuntu 10.04 only. On 12.04, the bug is gone and the specific listen commands are most probably not needed, the best is to check on your own instance.