[rsyslog-notify] Forum Thread: Re: fwd local msg, two listeners to remote server w/TLS, Que - (Mode 'reply')

Mon Jun 20 21:08:29 CEST 2016

User: atticus 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26626#p26626

Message: 
----------
Thank you again for your reply, and thank you for your patience.  I think
this is more like it. 

INPUT(TYPE="IMTCP" PORT="10514" RULESET="FWD1")
INPUT(TYPE=”IMUDP” PORT=”514” RULSET=FWD1);
INPUT(TYPE="IMUSOCK" RULESET="FWD2")            #FWD2 IS FOR THE LOCAL
RULES

RULESET (NAME=”FWD1”) {
ACTION(TYPE="OMFWD" TARGET="GROUP1.EX.COM" PORT="10514" PROTOCOL="TCP"
QUEUE.FILENAME="GROUP1Q" QUEUE.SAVEONSHUTDOWN =”ON” QUEUE.TYPE="LINKEDLIST"
STREAMDRIVERMODE="1" STREAMDRIVER="GTLS" STREAMDRIVERAUTHMODE="X509/NAME"
STREAMDRIVERPERMITTEDPEERS="*.GROUP1.EX.COM" DEFAULTNETSTREAMDRIVERCAFILE=
“/PATH/TO/CHAIN.CRT” DEFAULTNETSTREAMDRIVERCERTFILE=”/PATH/TO/CLIENT.CRT”
DEFAULTNETSTREAMDRIVERKEYFILE=”/PATH/TO/CLIENT.KEY”)

#  INPUT TCP AND UDP TO A LOCAL FILE ON THIS SYSTEM
# ACTION(TYPE=”OMFILE” /MNT/VAR/GROUP1.FILE }     

}
Now write local syslog to local files

RULESET (NAME=”FWD2”) {
KERN.* ACTION(TYPE=”OMFILE” FILE=”/VAR/LOG/MESSAGES)
*.INFO;MAIL.NONE;AUTHPRIV.NONE;CRON.NONE ACTION(TYPE=”OMFILE” 
/VAR/LOG/MESSAGES)
#
AUTHPRIV.* ACTION(TYPE=”OMFILE” /VAR/LOG/SECURE);
#
MAIL.* ACTION(TYPE=”OMFILE” /VAR/LOG/MAILLOG)
#
*.EMERG ACTION(TYPE=”OMFILE” *) 
#
#  
UUCP,NEWS.CRIT (ACTION=”OMFILE” /VAR/LOG/SPOOLER);
#
LOCAL7.* (ACTION=”OMFILE” /VAR/LOG/BOOT.LOG);
}

So, 
1)  The input files are now placed as you suggested. 
2)  Does the syntax for all the TLS certificates look correct? 
Specifically, I mean putting the path names in here rather than with a $
command.
3)  Is FWD2 correct including the input INPUT(TYPE="IMUSOCK"
RULESET="FWD2")      
4)  Finally, how would you suggest forwarding the local syslog to the far
end server?  For example, I could associate input imusock with FWD1 and
putting the elements of ruleset FWD2 into FW1.  However, this would forward
ANY local (I think?) syslog, not just the ones I'm taking action on?

Again, thank you.