scubacuda at gmail
Jul 22, 2012, 11:23 PM
Post #3 of 3
(317 views)
Permalink
|
|
Re: n00b rsyslog.conf question -- separating local and network appliance logs
[In reply to]
|
|
Thank you, this is helpful. But it looks like I'm having other problems first.
Here is my config file. My IP is on those blocks, and it's not
working, as the log files are not getting bigger.
****************************
$ModLoad imudp
$UDPServerRun 514
#http://www.rsyslog.com/tag/more-complex-scenarios/
#do this in FRONT of the local/regular rules
if $fromhost-ip startswith '41.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '68.' then /var/log/network2.log
& ~
*******************************************
I'm pretty sure it's not a network problem. An IP address that begins
with 41 should create network1.log, and an IP beginning with 68 should
form network2.log...right?
On Sun, Jul 22, 2012 at 11:00 PM, Radu Gheorghe <radu0gheorghe [at] gmail> wrote:
> Hi Rogelio,
>
> I think you will find Rulesets useful:
> http://www.rsyslog.com/doc/multi_ruleset.html
>
> There's an example there about how to separate local logs from remote logs.
>
> As for log rotation, you can either use logrotate, or you can use
> DynaFile to generate your log file names dynamically in the first
> place. For example, if you write:
>
> $template DynaFile,”/var/log/logsfrom-%timegenerated:1:10:date-rfc3339%.log”
> *.* -?DynaFile
>
> You should get stuff like:
>
> /var/log/logsfrom-2012-17-22.log
> /var/log/logsfrom-2012-17-23.log
>
> etc.
>
> 2012/7/23 Rogelio <scubacuda [at] gmail>:
>> I have several network appliances, and I want aggregate their syslog
>> output for later analysis. Eventually I might think about a Splunk
>> box, but for the interim I'm hoping to just build a CentOS 6 syslog
>> server and have it aggregate everything on it for quick review.
>>
>> I installed rsyslog and am looking through the /etc/rsyslog.conf file
>> for what I configure to (a) listen for syslog input from other devices
>> (UDP port 514 is fine), (b) make a log, and (c) log rotate files.
>>
>> (a) I see in there (if I comment it out)
>>
>> # Provides UDP syslog reception
>> $ModLoad imudp
>> $UDPServerRun 514
>>
>> (Obviously add an iptables rule to let this traffic in)
>>
>> (b) I see options in there, but am not sure how to separate the local
>> logs from the remote logs. Is it something like the following?
>>
>> *.*;local6.none;
>> auth,authpriv.none -/var/log/syslog
>>
>> (c) I understand I can do if I edit
>> /etc/logrotate.d/MyNetworkAppliance.log. This isn't as big of a
>> concern right now. Just trying to figure out how to log things
>> separately. :/
>>
>> Any suggestions on what I should do to make this work?
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
--
Also on LinkedIn? Feel free to connect if you too are an open
networker: scubacuda [at] gmail
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
|
