[rsyslog] Help with configurin rsyslog
david at lang.hm
david at lang.hm
Fri Jun 19 22:14:16 CEST 2009
On Fri, 19 Jun 2009, Alex Samad wrote:
> I have a syslog line that looks like this
>
> Jun 18 10:35:53 Thu Jun 18 10:42:37 2009 dlink-dir-855 System Log:
> Stored configuration to non-volatile memory
>
> notice the double dates stamps and it seems like I should be able to
> rectify this with rsyslog, but I am not sure how.
>
> I have had a quick look at the doco and the wiki, but there aren't any
> example's of replacing/reformatting from specific hosts
>
> note the above line is from a dlink dir-855 router/access point
>
> I also have these
> Jun 18 10:55:00 127.0.0.1 time="2009-06-18 10:55:00" msg="LOGIN User
> logged in on TELNET (192.168.1.100)"
>
> from a speedtouch 546v6 then I need to munge.
>
> Any pointers or working examples would be helpful
I think that the key approach to do this is to create additional formats
and then do conditional logging
something like the following pseudocode
if hostip = '1.1.1.1' then /var/log/messages;CustomFormat1
if hostip != '1.1.1.1' then /var/log/messages;StandardFormat
the first issue is to figure out how to filter the different messages
seperate from each other
depending on how badly the message is misformed on the wire this may be
hard to do. if you do not go through any relay servers you can filter
based on the source IP of the connection to rsyslog
after you get the different logs filtered from each other you can figure
out how to reformat each type of message.
hopefully the 'odd' messages only comes from a small number of sources so
that you can do conditionals for the specific sources reasonably. (rsyslog
doesn't currently have a mechanism to effectivly do table lookups)
I hope this helps.
David Lang
More information about the rsyslog
mailing list