[rsyslog-notify] Forum Thread: Re: central logging server configuration - (Mode 'edit_last_post')

noreply at adiscon.com noreply at adiscon.com
Tue May 12 08:11:43 CEST 2015 

User: teifler 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25563#p25563

Message: 
----------
Hi Lee,

as David said please write us your question more precisely and tell us more
about your enviroment. I'll try to push in the right direction :)

[quote="lee62817":mhsdae9f]

i don't want to  all the remote logs are being aggregated in the central
log server's /var/log/messages.
[/quote:mhsdae9f]

Just for information in this case you have to write the messages into a
logfile and then you have to discard the written messages. Please note that
the specified messages are only available before the discard action. Below
you can find a example for your case (new syntax). 

[code:mhsdae9f]# ... module loading ...
# process remote messages
if $fromhost-ip == '192.168.152.137' then {
        action(type="omfile" file="/var/log/remotefile02")
        stop # this discards the written messages
    }


# only messages not from 192.0.21 make it past this point

# The authpriv file has restricted access.
authpriv.*                            /var/log/secure
# Log all the mail messages in one place.
mail.*                                /var/log/maillog
# Log cron stuff
cron.*                                /var/log/cron
# Everybody gets emergency messages
*.emerg                               *
... more ...[/code:mhsdae9f]

So in this case I recommend you to create a single rulesets for the remote
device(s). For more information about rule sets please check out the links
below. 

But I don't know which rsyslog version you're running so if you're <
version 6 then you have to use the legacy format otherwise you can use the
new syntax:
Legacy format: <!-- m --><a class="postlink"
href="http://www.rsyslog.com/doc/master/historical/multi_ruleset_legacy_format_samples.html">http://www.rsyslog.com/doc/master/histo
... mples.html</a><!-- m -->
New Syntax: <!-- m --><a class="postlink"
href="http://www.rsyslog.com/doc/master/concepts/multi_ruleset.html">http://www.rsyslog.com/doc/master/conce
... leset.html</a><!-- m -->

Just as a side note: If you use a older version then I recommend you to
install a newer version (better perfomance & fixed bugs) like v8.9.0 below
you can find a guide for installing a newer version:
<!-- m --><a class="postlink"
href="http://www.rsyslog.com/newbie-guide-to-rsyslog/">http://www.rsyslog.com/newbie-guide-to-rsyslog/</a><!--
m -->

Tim

More information about the rsyslog-notify mailing list