[rsyslog] Central loghost using RHEL5.2 rsyslog

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Jun 5 17:15:34 CEST 2008 

I have no config but at least some quick ideas.

Organize the config file as such:

General settings (like $ModLoad) should go first.
Then, actions that should always happen should come first.
At the bottom of the file should be actions that occur only once.

Use the discard action ~ (tilde) to get rid of those messages that you
already processed and no longer need to care about.

A quick sample might be this (just with files, but I hope it gets the
idea):

*.* /file-always
*.info /file-info
*.info ~ # discard these message - end of processing for them
*.* /file-all-but-info
*.err /file-err
*.err ~ # get rid of err
*.* /file-all-but-info-err

I think this will get you a bit further. In v3, we already have a better
way of doing things, but the ultimate solution will be implemented in
the coming weeks (full scripting). I understand this is not of help
here, but I thought I mention it.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Kielek, Samuel
> Sent: Thursday, June 05, 2008 4:56 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog
> 
> I'm trying to set up a central loghost (UDP and TCP) using the version
> included in RHEL. I've have come up with several partially working
> configs but none work exactly as I need.
> 
> As of RHEL 5.2 rsyslog is now included, which is great news. Here's
the
> version:
> 
> 
> $ rpm -q rsyslog
> rsyslog-2.0.0-11.el5
> 
> $ /sbin/rsyslogd -v
> rsyslogd 2.0.0, compiled with:
>         FEATURE_PTHREADS (dual-threading):      Yes
>         FEATURE_REGEXP:                         Yes
>         FEATURE_LARGEFILE:                      Yes
>         FEATURE_NETZIP (message compression):   Yes
>         SYSLOG_INET (Internet/remote support):  Yes
>         FEATURE_GSSAPI (GSSAPI Kerberos 5 support):     No
>         FEATURE_DEBUG (debug build, slow code): No
> 
> See http://www.rsyslog.com for more information.
> 
> 
> 
> In a nutshell, here's what I need my config to have:
> 
> 1.) TCP and UDP logging
> 
> 2.) Local messages from the loghost itself go to /var/log/...
> 
> 3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/...
> 
> 4.) Additionally, I have several logs that are matched on the message
> content and go into separate log files.
> 
> 5.) All messages go into a named pipe (which a 3rd party security tool
> reads from and analyzes the data)
> 
> >From the above, numbers 2, 3 and 4 are the one's I'm having trouble
> with. Individually I can make each work but getting them all working
in
> harmony has been a bit of a battle... I want to avoid duplicate
logging
> so that the local loghost logs are in /var and remote logs in /syslog.
> Additionally, the messages that are matched on their content I want to
> ONLY show up in the files designated for them. However, the named pipe
> should get everything.
> 
> If anyone has a similar config for this version of rsyslog that they
> could share I'd appreciate it immensely.
> 
> Thanks,
> Sam
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

More information about the rsyslog mailing list