[rsyslog-notify] Forum Thread: Re: OMUDPSPOOF and libnet error - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Tue Apr 1 16:30:15 CEST 2014
User: TomG
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24459#p24459
Message:
----------
Thanks for the suggestion.
I am using a straight out of the box rsyslog.conf. Here are the $ commands:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#$ActionFileEnableSync on
$IncludeConfig /etc/rsyslog.d/*.conf
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
...there is nothing in /etc/rsyslogd/*.conf
I added this to the end of rsyslog.conf. The only "drop" I see is to drop
the last LineFeed char (I think).
module(load="omudpspoof")
template(name="asa-spoof" type="string" string="%rawmsg%")
# Forward logs from EQ ASA Firewall to HQ SolarWinds
if $source == "<hostname>" then action(type="omudpspoof"
target="xxx.xxx.local" template="asa-spoof")
template(name="TraditionalFileFormat" type="string" \
string= "%TIMESTAMP% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
template(name="HostLogsDaily" type="string" \
string="/var/log/syslog_data/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%/messages.log")
#
action (type="omfile" \
DynaFIle="HostLogsDaily" \
template = "TraditionalFileFormat")
More information about the rsyslog-notify
mailing list