[rsyslog-notify] Forum Thread: Re: Rsyslog logging using variables - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Fri Sep 18 22:15:00 CEST 2015
User: Jzeolla
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25933#p25933
Message:
----------
[quote:10ufwfgw]now, looking at your ruleset, everything you do is based on
all sources, so you don't care where the log came from. As a result, you
may not need rulesets[/quote:10ufwfgw]
So, this code will run on all machines including the server that receives
remote syslog, so it does matter where the log comes from. I only want
this file to handle logs generated locally.
After looking at your suggestions I have come up with this:
[code:10ufwfgw]# Set template(s)
template(name="facilityfiles" type="string"
string="/var/log/%facility-text%.log")
# Log all syslog remotely over TCP
@@log.example.com:10514
# Write auth and authpriv logs to auth.log
auth,authpriv.* {
/var/log/auth.log
stop
}
# Write everything going to local4 to /var/log/messages
local4.* /var/log/messages
# Ignore everything going to local2, but still send it remotely
local2.* stop
# Write everything other than local2 and auth,authpriv to the catchall
syslog file
*.* /var/log/syslog
# Write messages to /var/log/messages
if ($syslogseverity-text == [info,notice,warn] and not
$syslogfacility-text == [auth,authpriv,cron,daemon,mail,news]) then
/var/log/messages
# Write cron,user,uucp to their respective .log files and sync after
each message
if $facility-text == ["cron", "user", "uucp"] then ?facilityfiles
# Write daemon,kern,lpr,mail to their respective .log files and do not
sync after each message
if $facility-text == ["daemon", "kern", "lpr", "mail"] then
-?facilityfiles
# Write mail to separate logs depending on the severity level and do not
sync after each message
if ($syslogfacility-text == mail and $syslogseverity < 7 ) then
-/var/log/mail.info
if ($syslogfacility-text == mail and $syslogseverity < 5 ) then
-/var/log/mail.warn
f ($syslogfacility-text == mail and $syslogseverity < 3 ) then
-/var/log/mail.crit
# Write news to separate logs depending on the serverity level, set the
user to "news", and sync after each message
if ($syslogfacility-text == news and $syslogseverity < 7) then
action(type="omfile" file="/var/log/news/news.crit" sync="on"
dirCreateMode="0755" dirOwner="news" dirGroup="adm" fileOwner="news"
fileGroup="adm" fileCreateMode="0640")
if ($syslogfacility-text == news and $syslogseverity < 6) then
action(type="omfile" file="/var/log/news/news.notice" sync="on"
dirCreateMode="0755" dirOwner="news" dirGroup="adm" fileOwner="news"
fileGroup="adm" fileCreateMode="0640")
if ($syslogfacility-text == news and $syslogseverity < 4) then
action(type="omfile" file="/var/log/news/news.err" sync="on"
dirCreateMode="0755" dirOwner="news" dirGroup="adm" fileOwner="news"
fileGroup="adm" fileCreateMode="0640")
# Write debug messages and do not sync after each message
if ($syslogseverity-text == debug and not $syslogfacility-text ==
[auth,authpriv,news,mail]) then -/var/log/debug
# Write messages of emergency severity to the console
*.emerg -/dev/console
[/code:10ufwfgw]
More information about the rsyslog-notify
mailing list