How to log fpscand output to a different log file with rsyslogd
Posted by Oliver Schneider on 24/02/2012 14:31
It may often be desirable to log the output of the F-PROT Antivirus daemon scanner (fpscand) into a separate file or even a number of files. In order to achieve that, we can use the versatile configuration options of rsyslogd.
We have generally two ways of logging into a separate file: firstly the /etc/rsyslog.conf and secondly putting a .conf file into the folder /etc/rsyslog.d, possibly deciding on the order in which the file gets loaded by prepending a numeric prefix to its name. Both use the exact same syntax, so the only difference is which file you edit.
Note: this should work on most modern Linux systems and any other unixoid system that has rsyslogd available and installed. The system on which this was tested used rsyslogd 5.8.1. Differences of the supported configuration option and syntax are therefore possible. Consult the rsyslogd documentation for more details in such case.
On our system we have the following configuration files:
$ ls /etc/rsyslog.* /etc/rsyslog.conf /etc/rsyslog.d: 20-ufw.conf 50-default.conf
So let us add a ruleset for fpscand before the default rules by invoking our favorite editor as super-user (root) by means of sudo or under a root shell. For me that's: $ sudo vim /etc/rsyslog.d/01-fpscand.conf. Now insert the following two lines:
if $programname == 'fpscand' then /var/log/fpscand.log if $programname == 'fpscand' then ~
The syntax is pretty straightforward as you can see. This checks whether the program sending the log line is named fpscand and then simply sends the output to the file /var/log/fpscand.log. The second line then ensures that the same output doesn't get sent to other log files such as the default log file (usually /var/log/syslog). Therefore, if you would like to still see the output in the syslog, don't add the second line or comment it out with the usual hash mark (#).
When done, we need to restart the rsyslogd daemon. The commands for this will vary, but usually it will be one of the following: sudo service rsyslog restart or sudo /etc/init.d/rsyslog restart. Depending on your configuration the init scripts on your system may also accept the option reload instead of restart which is generally slightly faster and less invasive.
From this point on the log messages will go into /var/log/fpscand.log. But feel free to alter the file names at will. It is also possible to split the messages according to their log level, in which case we could have something like:
if $programname == 'fpscand' and $syslogseverity <= '4' then /var/log/fpscand.log if $programname == 'fpscand' and $syslogseverity > '4' then /var/log/fpscand-debug.log if $programname == 'fpscand' then ~
Please contact our support team if you have further questions or remarks.