[rsyslog] forwarding for a specific host (secondary destination based on sender)

Don M Subscriptions donmrdch.subscriptions at gmail.com
Wed Sep 20 19:48:37 CEST 2017


Thank you.
On 9/20/2017 1:28 PM, Andrew Griffin wrote:
> You can do this pretty easily by having a ruleset with two actions in 
> it, e.g:
>
> ruleset ( name = dupe_logs ) {
>      action (
>           name = "send_to_file"
>           type  = "omfile"
>           file = "/logs/mylog.log"
>      )
>      action (
>           name = "send_to_other_log_collector"
>           type  = "omfwd"
>           target = "my_collector.mybusiness.com"
>           port = "12345"
>      )
> }
>
> *Andrew Griffin*
> Apple
> ETS / Integration Services
> 1 Infinite Loop, 175-DR
> Cupertino, CA 95014, USA
> Office 408-783-8348
> iPhone 916-897-4335
> andrew_griffin at apple.com <mailto:andrew_griffin at apple.com>
>
> This email and any attachments may be privileged and may contain 
> confidential information intended only for the recipient(s) named 
> above. Any other distribution, forwarding, copying or disclosure of 
> this message is strictly prohibited. If you have received this email 
> in error, please notify me immediately by telephone or return email, 
> and delete this message from your system.
>
>> On Sep 20, 2017, at 8:45 AM, Don M Subscriptions via rsyslog 
>> <rsyslog at lists.adiscon.com <mailto:rsyslog at lists.adiscon.com>> wrote:
>>
>> Greetings.
>>
>> We have a firewall and some other sources sending data to our syslog 
>> server and we would like to forward the original message from one of 
>> the input sources to a supplemental log collector. In other words, I 
>> would like to take logs from 192.168.1.1 and send it to two destinations.
>>
>> Googling this tends to get articles on basic setup.
>>
>> I'd imagine that I need a "fron host" type of a test in an if 
>> statement, and send it within a set of curly braces?
>>
>> Thanks in advance for help.
>>
>> -- 
>> -----
>>
>>    Don Murdoch, Director, Security Services @ SLAIT
>>    Book site: www.blueteamhandbook.com <http://www.blueteamhandbook.com>
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT 
>> POST if you DON'T LIKE THAT.
>

-- 
-----

     Don Murdoch, Director, Security Services @ SLAIT
     Book site: www.blueteamhandbook.com



More information about the rsyslog mailing list