Problems with rsyslog logging to a remote sysklogd server

Debian Lenny now defaults to rsyslog instead of sysklog. rsyslog has some nice features, and for running vservers it's really helpful that the kernel logging component (which can be easily turned off in the config file) doesn't hang the virtual machine when starting like klogd would.

Unfortunately, if you use it to log remotely to a sysklog server, you'll get the hostname twice in every line (or actually the reverse DNS lookup name followed by the hostname). This is because of a "difference in opinion" between sysklog and rsyslog about what information should be sent across the wire. Even worse, if you use logcheck on the sysklog side, none of your rules will work anymore, since none of them expect double hostnames.

Fortunately rsyslog allows you to define "templates" which you can use to format the output. So we can use a template to format the lines we're going to send to the remote logger. (This is all in the "/usr/share/doc/rsyslog/README.Debian" file that comes with rsyslog, if you happen to think to look there. It took me 5+ hours before I got around to searching that!) :-)

To fix the problem, in "/etc/rsyslog.conf" create the following template line.
$template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"

This is the same as the default template, but with the hostname removed (since sysklog will supply it). Then later in the file (it has to be later - templates have to be defined before you can use them) you just append ";sysklogd" to your line to log to the remote logging server.

In our case we're logging to IP address "192.168.15.1", so we create the line
*.*     @192.168.15.1;sysklogd

The "*.*     @192.168.15.1" is the same as it would be in "syslog.conf" - it tells the logger to send everything to another server (which is presumably listening) at IP address "192.168.15.1". The ";sysklod" at the end of the line tells rsyslog what template to use when it sends the data. (If you don't specify a template, you get the default).

Since we only specify this template for the remote logging, we get the "normal" rsyslog format in our local logs but then the "normal" sysklog format in the remote logs. Logcheck works, and I don't have to read through 2000k of logcheck emails as EVERY line from the new Debian hosts' logs gets matched by logcheck. Win-Win. :-)