Thanks, but I still don't know how to separate out the local and remote logs. I tried using expression based filters but didn't have much success. For example these config lines:
# Log remotely generated authpriv messages to /syslog $template r_secure, "/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure.log" if $source != 'localhost' and $syslogfacility-text == 'authpriv' then -?r_secure Cause these errors: Jun 5 14:24:27 ncldl38011 rsyslogd:unknown priority name "" Jun 5 14:24:27 ncldl38011 rsyslogd:the last error occured in /etc/rsyslog.conf, line 25 Jun 5 14:24:27 ncldl38011 rsyslogd:warning: selector line without actions will be discarded Not sure if it's something with my syntax or is it just that this version of rsyslog doesn't (fully) support this. I'm assuming it's not supported since the error seems to indicate that it is interpreting that expression filter line as a standard selector type filter. Thanks, Sam -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rainer Gerhards Sent: Thursday, June 05, 2008 11:16 AM To: rsyslog-users Subject: Re: [rsyslog] Central loghost using RHEL5.2 rsyslog I have no config but at least some quick ideas. Organize the config file as such: General settings (like $ModLoad) should go first. Then, actions that should always happen should come first. At the bottom of the file should be actions that occur only once. Use the discard action ~ (tilde) to get rid of those messages that you already processed and no longer need to care about. A quick sample might be this (just with files, but I hope it gets the idea): *.* /file-always *.info /file-info *.info ~ # discard these message - end of processing for them *.* /file-all-but-info *.err /file-err *.err ~ # get rid of err *.* /file-all-but-info-err I think this will get you a bit further. In v3, we already have a better way of doing things, but the ultimate solution will be implemented in the coming weeks (full scripting). I understand this is not of help here, but I thought I mention it. Rainer > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:rsyslog- > [EMAIL PROTECTED] On Behalf Of Kielek, Samuel > Sent: Thursday, June 05, 2008 4:56 PM > To: [email protected] > Subject: [rsyslog] Central loghost using RHEL5.2 rsyslog > > I'm trying to set up a central loghost (UDP and TCP) using the version > included in RHEL. I've have come up with several partially working > configs but none work exactly as I need. > > As of RHEL 5.2 rsyslog is now included, which is great news. Here's the > version: > > > $ rpm -q rsyslog > rsyslog-2.0.0-11.el5 > > $ /sbin/rsyslogd -v > rsyslogd 2.0.0, compiled with: > FEATURE_PTHREADS (dual-threading): Yes > FEATURE_REGEXP: Yes > FEATURE_LARGEFILE: Yes > FEATURE_NETZIP (message compression): Yes > SYSLOG_INET (Internet/remote support): Yes > FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No > FEATURE_DEBUG (debug build, slow code): No > > See http://www.rsyslog.com for more information. > > > > In a nutshell, here's what I need my config to have: > > 1.) TCP and UDP logging > > 2.) Local messages from the loghost itself go to /var/log/... > > 3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/... > > 4.) Additionally, I have several logs that are matched on the message > content and go into separate log files. > > 5.) All messages go into a named pipe (which a 3rd party security tool > reads from and analyzes the data) > > >From the above, numbers 2, 3 and 4 are the one's I'm having trouble > with. Individually I can make each work but getting them all working in > harmony has been a bit of a battle... I want to avoid duplicate logging > so that the local loghost logs are in /var and remote logs in /syslog. > Additionally, the messages that are matched on their content I want to > ONLY show up in the files designated for them. However, the named pipe > should get everything. > > If anyone has a similar config for this version of rsyslog that they > could share I'd appreciate it immensely. > > Thanks, > Sam > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
