[rsyslog-notify] Forum Thread: Cannot forward data received to another rsyslog server - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Thu Aug 7 04:27:01 CEST 2014 

User: aaa123 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24804#p24804

Message: 
----------
Hello,
My setup:
 -Many endpoints whose monitored files are tagged various prefixes such as
XYZ_* etc...), ABC_*, etc..for easier identification.
 -rsyslog server1 receives logs from all endpoints perfectly fine.

Now, I want to split some data out.  I want only the logs with XYZ_* prefix
to be immediately forwarded again to a new server, server2.  The rest can
stay in server1.  Please note that I could have sent such log directly to
server2 directly, but that is not the scenario I want.  I want all logs to
go through server1, and  logs with prefix XYZ must make its next journey to
 server2.

Problem: I don't see any log with XYZ_* forwarded to server2 at all.   In
fact, all logs from server1 actually being forwarded to server2, which is
not what I want. 

1. My rsyslog.conf for server1 looks like this and none works
[code:1kmdw2sc]
template(name="xyzTargetServer" type="list") {
                property(name="programname")
                constant(value="XYZ_")
        }

action(type="omfwd"
        Target="11.22.33.333"                 # 2ndary rsyslog
server
        Port="10514"                            # tcp port of remote server
        Protocol="tcp"                          # use tcp
        Template="xyzTargetServer"           # template to send all logs
with previx XYZ_ to a remote server
        )

[/code:1kmdw2sc]

or

[code:1kmdw2sc]
if $programname startswith 'XYZ_' then @@
11.22.33.333:10514
&~
[/code:1kmdw2sc]

2. my rsyslog.conf for server2 looks like this
[code:1kmdw2sc]
template (name="xyzLocalFileOutput" type="string" ) {
                        string="/opt/data/xyz/%fromhost-ip%/syslog.log"
  # Ideally, I want to retain the original IP of the endpoints whose
contents starting with XYZ_prefix.

        }
action(type="omfile" dynaFile="xyzLocalFileOutput"
name="xyzLocalFileOutput" dynaFileCacheSize="200")

[/code:1kmdw2sc]

When restarting rsyslog service, I expect to see /opt/data/xyz/<the ip of
each endpoint that has logs with prefix XYZ>

I appreciate if anyone sees any mistake I made in the below code fragment
and please point that out.  Thank you!
H.

More information about the rsyslog-notify mailing list