[rsyslog-notify] Forum Thread: Re: fwd local msg, two listeners to remote server w/TLS, Que - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Mon Jun 20 21:20:57 CEST 2016
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26627#p26627
Message:
----------
when you use a ruleset tied directly to an input, you should have a queue
on that ruleset, otherwise you still have the messages go into the main
queue where they can compete/interfere with the local messages
[quote:e5i3k6u0]2) Does the syntax for all the TLS certificates look
correct? Specifically, I mean putting the path names in here rather than
with a $ command.[/quote:e5i3k6u0]
more or less. again, I'm not the person to answer this part of the question
[quote:e5i3k6u0]3) Is FWD2 correct including the input INPUT(TYPE="IMUSOCK"
RULESET="FWD2") [/quote:e5i3k6u0]
no, you can't have a ruleset on the imuxsock input, you can just add the
line "call FWD2" outside of any ruleset, or just make the things that are
in ruleset FWD2 outside a ruleset
[quote:e5i3k6u0]4) Finally, how would you suggest forwarding the local
syslog to the far end server? For example, I could associate input imusock
with FWD1 and putting the elements of ruleset FWD2 into FW1. However, this
would forward ANY local (I think?) syslog, not just the ones I'm taking
action on?[/quote:e5i3k6u0]
add a line to the FWD2 ruleset that says
call FWD1
that will invoke the FWD1 ruleset.
there isn't a good way to have a list of rules and then say "if any of the
above rules apply, do something"
you could add a conditional call to FWD1 after each statement
i.e.
KERN.* {
ACTION(TYPE=”OMFILE” FILE=”/VAR/LOG/MESSAGES)
call FWD1
}
but in cases where more than one rule matches, the message will get
forwarded multiple times.
More information about the rsyslog-notify
mailing list