scubacuda at gmail
Jul 22, 2012, 11:23 PM
Post #3 of 3
Thank you, this is helpful. But it looks like I'm having other problems first.
Re: n00b rsyslog.conf question -- separating local and network appliance logs
[In reply to]
Here is my config file. My IP is on those blocks, and it's not
working, as the log files are not getting bigger.
#do this in FRONT of the local/regular rules
if $fromhost-ip startswith '41.' then /var/log/network1.log
if $fromhost-ip startswith '68.' then /var/log/network2.log
I'm pretty sure it's not a network problem. An IP address that begins
with 41 should create network1.log, and an IP beginning with 68 should
On Sun, Jul 22, 2012 at 11:00 PM, Radu Gheorghe <radu0gheorghe [at] gmail> wrote:
> Hi Rogelio,
> I think you will find Rulesets useful:
> There's an example there about how to separate local logs from remote logs.
> As for log rotation, you can either use logrotate, or you can use
> DynaFile to generate your log file names dynamically in the first
> place. For example, if you write:
> $template DynaFile,”/var/log/logsfrom-%timegenerated:1:10:date-rfc3339%.log”
> *.* -?DynaFile
> You should get stuff like:
> 2012/7/23 Rogelio <scubacuda [at] gmail>:
>> I have several network appliances, and I want aggregate their syslog
>> output for later analysis. Eventually I might think about a Splunk
>> box, but for the interim I'm hoping to just build a CentOS 6 syslog
>> server and have it aggregate everything on it for quick review.
>> I installed rsyslog and am looking through the /etc/rsyslog.conf file
>> for what I configure to (a) listen for syslog input from other devices
>> (UDP port 514 is fine), (b) make a log, and (c) log rotate files.
>> (a) I see in there (if I comment it out)
>> # Provides UDP syslog reception
>> $ModLoad imudp
>> $UDPServerRun 514
>> (Obviously add an iptables rule to let this traffic in)
>> (b) I see options in there, but am not sure how to separate the local
>> logs from the remote logs. Is it something like the following?
>> auth,authpriv.none -/var/log/syslog
>> (c) I understand I can do if I edit
>> /etc/logrotate.d/MyNetworkAppliance.log. This isn't as big of a
>> concern right now. Just trying to figure out how to log things
>> separately. :/
>> Any suggestions on what I should do to make this work?
>> rsyslog mailing list
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
Also on LinkedIn? Feel free to connect if you too are an open
networker: scubacuda [at] gmail
rsyslog mailing list
What's up with rsyslog? Follow https://twitter.com/rgerhards