[rsyslog-notify] Forum Thread: Re: Filter: Only log local for specific action - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Tue Nov 10 08:35:02 CET 2015 

User: AirOnSkin 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26123#p26123

Message: 
----------
Thank you both for the fast reply.

Here's the complete config for any client...

[b:25zt3qi1]/etc/rsyslog.conf[/b:25zt3qi1]
[code:25zt3qi1]
# /etc/rsyslog.conf ~ Rsyslog configuration

# MODULES
module(load="imuxsock")
module(load="imklog")

# QUEUES
main_queue(queue.type="LinkedList" queue.size="500000"
queue.dequeuebatchsize="2048" queue.saveonshutdown="on")

# INCLUDES
$IncludeConfig /etc/rsyslog.d/*.conf
[/code:25zt3qi1]
[b:25zt3qi1]/etc/rsyslog.d/01_additional-system-logs.conf[/b:25zt3qi1]
[code:25zt3qi1]
# /etc/rsyslog.d/01_additional-system-logs.conf ~ Include system
logs that have their own file

# MODULES
module(load="imfile" PollingInterval="1")

# LOCAL FILES
input(type="imfile" File="/var/log/sssd/sssd.log" Tag="sssd:"
Facility="local0" Severity="err")
input(type="imfile" File="/var/log/salt/minion" Tag="salt:"
Facility="local1" Severity="err")
[/code:25zt3qi1]
[b:25zt3qi1]/etc/rsyslog.d/02_application-logs.conf[/b:25zt3qi1] (nothing
in here yet, but will look similar to the above config)
[code:25zt3qi1]
# /etc/rsyslog.d/02_application-logs.conf ~ Include local
application logs

# MODULES
# The 'imfile' module was already loaded in
/etc/rsyslog.d/01_additional-system-logs.conf

# LOCAL FILES

[/code:25zt3qi1]
[b:25zt3qi1]/etc/rsyslog.d/03_log-distribution.conf[/b:25zt3qi1]
[code:25zt3qi1]
# /etc/rsyslog.d/03_log-distribution.conf ~ Distribute logs on
local disk and to remote host

# MODULES
module(load="omrelp")
module(load="mmjsonparse")

# TEMPLATES
template(name="DynFile" type="string"
  string="/var/log/%SYSLOGFACILITY-TEXT%"
)
template(name="JSONForwardFormat" type="string" option.json="on"
 
string="{\"@timestamp\":\"%timegenerated:::date-rfc3339%\",\"message\":\"%msg%\",\"host\":\"%fromhost%\",\"tag\":\"%syslogtag%\",\"program\":\"%programname%\",\"facilityid\":\"%syslogfacility%\",\"facility\":\"%syslogfacility-text%\",\"severityid\":\"%syslogseverity%\",\"severity\":\"%syslogseverity-text%\",\"pid\":\"%procid%\"}\n"
)

# RULES
# save logs locally to /var/log
*.* action(type="omfile" dynaFile="DynFile")
# send logs to rsyslogd on logstash host (saved as files to
/var/local/ourcompany/syslog)
#*.* action(type="omrelp" target="192.168.123.50"
port="2514" queue.type="LinkedList" queue.size="500000"
queue.dequeuebatchsize="1024" tls="on")
# send logs to logstash on logstash host (written to ElasticSearch)
*.* action(type="mmjsonparse")
*.* action(type="omrelp" target="192.168.123.51"
port="1425" queue.type="LinkedList" queue.size="500000"
queue.dequeuebatchsize="1024" tls="off" template="JSONForwardFormat")
[/code:25zt3qi1]
[b:25zt3qi1]/etc/rsyslog.d/04_alerts-log-filter.conf[/b:25zt3qi1]
[code:25zt3qi1]
# /etc/rsyslog.d/04_alerts-log-filter.conf ~ Filter properties for
the alerts log
#
http://www.rsyslog.com/doc/v8-stable/configuration/filters.html#property-based-filters

# FILTERS
#:msg, contains, "text-to-match-for" stop
[/code:25zt3qi1]
[b:25zt3qi1]/etc/rsyslog.d/05_alerts-log.conf[/b:25zt3qi1]
[code:25zt3qi1]
# /etc/rsyslog.d/05_alerts-log.conf ~ Log important events to
/var/log/alerts for monitoring inclusion

# TEMPLATES
template(name="AlertsFileFormat" type="string"
  string="%syslogfacility-text%.%syslogseverity-text%:
%timegenerated% %hostname%
%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
)

# RULES

*.warn;*.err;*.crit;*.alert;*.emerg;auth,authpriv.none
action(type="omfile" template="AlertsFileFormat" fileCreateMode="0440"
file="/var/log/alerts")
[/code:25zt3qi1]
This setup is still a work in progress. What we're trying to do is, send
all log data to another host, but log locally as well (these logs will be
kept for a few days, then rotated). We need the alerts log file with this
format for our monitoring.
We have two hosts at the moment, that don't only send logs, but also
receive hosts from other systems. What happens is, that messages with log
level warn, crit, alert, and so on also get written to /var/log/alerts
eventhough they didn't occur on that system.
I would like to limit the alerts log file to local messages only.

Cheers,
Stefan

More information about the rsyslog-notify mailing list