I am trying to configure rsyslog (Ubuntu 12.04 Server) to log events from a router. I found this old ubuntu forum post which got me most of the way there.

So far I am able to get the events logged from the router. However since I don't them logged in /var/log/syslog I am trying to set up a working filter in /etc/rsyslog.conf to put the logged events in /var/log/linksys.log. This is where I am having trouble.

• First I tried filtering by the router ip address like this:

  
  
  

  :fromhost-ip, isequal, "192.168.2.1" /var/log/linksys.log
  
  & ~
  
  

  
  
  

  This successfully redirects the logs as I wanted, the only problem is now I am not getting any SSHD logs in auth.log. Needless to say this is not acceptable.




• Next I tried filtering by the router name which appears in every event log:

  
  
  

  :msg,contains, "RV042" /var/log/linksys.log
  
  & ~
  
  

  
  
  

  Although this neither logs or blocks anything.

So I am stumped. I have no idea why SSHD is getting filtered with the :fromhost-ip filter. SSHD is local on the machine with rsyslog (192.168.2.2). I am thoroughly frustrated by this, any suggestions are much appreciated.