[rsyslog] forwarding for a specific host (secondary destination based on sender)

Andrew Griffin andrew_griffin at apple.com
Wed Sep 20 19:28:56 CEST 2017

You can do this pretty easily by having a ruleset with two actions in it, e.g:

ruleset ( name = dupe_logs ) {
     action (
          name = "send_to_file"
          type  = "omfile"
          file = "/logs/mylog.log"
     action (
          name = "send_to_other_log_collector"
          type  = "omfwd"
          target = "my_collector.mybusiness.com"
          port = "12345"

Andrew Griffin
ETS / Integration Services
1 Infinite Loop, 175-DR
Cupertino, CA 95014, USA
Office 408-783-8348
iPhone 916-897-4335
andrew_griffin at apple.com

This email and any attachments may be privileged and may contain confidential information intended only for the recipient(s) named above. Any other distribution, forwarding, copying or disclosure of this message is strictly prohibited. If you have received this email in error, please notify me immediately by telephone or return email, and delete this message from your system.

> On Sep 20, 2017, at 8:45 AM, Don M Subscriptions via rsyslog <rsyslog at lists.adiscon.com> wrote:
> Greetings.
> We have a firewall and some other sources sending data to our syslog server and we would like to forward the original message from one of the input sources to a supplemental log collector. In other words, I would like to take logs from and send it to two destinations.
> Googling this tends to get articles on basic setup.
> I'd imagine that I need a "fron host" type of a test in an if statement, and send it within a set of curly braces?
> Thanks in advance for help.
> -- 
> -----
>    Don Murdoch, Director, Security Services @ SLAIT
>    Book site: www.blueteamhandbook.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3391 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/rsyslog/attachments/20170920/4d4eb60d/attachment.bin>

More information about the rsyslog mailing list