[rsyslog-notify] Forum Thread: Re: Sending to file based on last field - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Fri Aug 22 02:30:09 CEST 2014
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24859#p24859
Message:
----------
well, if your relay server is RFC compliant, then it will not change the
hostname from what the originating machine set it to, so you could just
split it based on the hostname (look up dynafile for how to do so)
Another option (needed if your sending hosts don't always format the log
properly) is that your relay servers can fix things up
one way they can fix things up is that when they relay on to the central
server, they can use a custom template that uses fromhost-ip instead of
hostname so the IP is in the hostname field
a more sophisticated way is that the relay server can format the message as
JSON and then it can add whatever variables that you want to it (including
things like indicating if this is a dev vs production network, etc), and
then the central server can use the JSON variables to split the data
More information about the rsyslog-notify
mailing list