[rsyslog-notify] Forum Thread: Forwarding select hosts to remote host for analysis - (Mode 'post')

[noreply at adiscon.com]

User: fmagee 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26813#p26813

Message: 
----------
We have a central syslog server running RHEL 6.7 and rsyslogd 5.8.10. We
have been collecting data for a couple of years without issues. Now
management wants to store messages from two Cisco firewalls on the syslog
server and forward those messages to an HPE ArcSight appliance so
management can analyze websites hit by specific users. I've added the
following rule set to /etc/rsyslog.conf:

 $WorkDirectory /rsyslog/work # where to place spool files
 $ActionQueueFileName fwdRule1 # unique name prefix for spool files
 $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.* @@arcsightappl.cabq.gov:515

and the following rules to /etc/rsyslog.d/forwardrules.conf:

:hostname, isequal,"143.120.99.50" @143.120.105.114
:hostname, isequal,"143.120.99.51" @143.120.105.114

I am still storing all the messages from the firewall to the local file
system but nothing is being forwarded to the ArcSight appliance. I
apologize if this has been answered elsewhere but I've been unable to find
any information that has helped.