I'm trying to set up a central loghost (UDP and TCP) using the version
included in RHEL. I've have come up with several partially working
configs but none work exactly as I need.
As of RHEL 5.2 rsyslog is now included, which is great news. Here's the
version:
$ rpm -q rsyslog
rsyslog-2.0.0-11.el5
$ /sbin/rsyslogd -v
rsyslogd 2.0.0, compiled with:
FEATURE_PTHREADS (dual-threading): Yes
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
SYSLOG_INET (Internet/remote support): Yes
FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No
FEATURE_DEBUG (debug build, slow code): No
See http://www.rsyslog.com for more information.
In a nutshell, here's what I need my config to have:
1.) TCP and UDP logging
2.) Local messages from the loghost itself go to /var/log/...
3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/...
4.) Additionally, I have several logs that are matched on the message
content and go into separate log files.
5.) All messages go into a named pipe (which a 3rd party security tool
reads from and analyzes the data)
>From the above, numbers 2, 3 and 4 are the one's I'm having trouble
with. Individually I can make each work but getting them all working in
harmony has been a bit of a battle... I want to avoid duplicate logging
so that the local loghost logs are in /var and remote logs in /syslog.
Additionally, the messages that are matched on their content I want to
ONLY show up in the files designated for them. However, the named pipe
should get everything.
If anyone has a similar config for this version of rsyslog that they
could share I'd appreciate it immensely.
Thanks,
Sam
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
