[rsyslog] Discard incoming logs from remote clients except for DHCP related logs

Thu, 08 Nov 2012 07:25:54 -0800 

Hello all,

I am currently in the process of setting up a centralized log server
mainly for DHCP related logs. The clients are using syslog and
syslog-ng and are going to send *.* to the centralized log server that
I am currently working on. I am seeking your advice on how to solve my
problem.

How am I able to properly configure my centralized log server in such
a way that all the logs that are being received coming from the remote
clients are going to be ignored except for all DHCP related logs? And
also since my centralized log server is expecting only to log only
those DHCP related logs, I want them to be stored into MySQL so that
it will only be the records that will be read/rendered from the
LogAnalyzer.

Below is the snippet from my centralized log server for your information.

- - - < s n i p > - - -

# uname -r
2.6.32-279.11.1.el6.x86_64

# cat /etc/redhat-release
CentOS release 6.3 (Final)

# rpm -qa | grep -i rsyslog
rsyslog-mysql-5.8.10-2.el6.x86_64
rsyslog-5.8.10-2.el6.x86_64

# rpm -qa | grep -i "^mysql"
mysql-5.1.61-4.el6.x86_64
mysql-utilities-1.1.0-1.el6.noarch
mysql-server-5.1.61-4.el6.x86_64
mysql-libs-5.1.61-4.el6.x86_64
mysql-connector-python-1.0.7-1.el6.noarch
mysqltuner-1.1.1-1.el6.noarch

# lsof -ni -P | egrep -i "mysql|rsyslog"
mysqld   11972   mysql   10u  IPv4  23334      0t0  TCP 127.0.0.1:3306 (LISTEN)
rsyslogd 12133    root    3u  IPv4  23965      0t0  UDP *:514
rsyslogd 12133    root    4u  IPv6  23966      0t0  UDP *:514
rsyslogd 12133    root    6u  IPv4  23973      0t0  TCP *:514 (LISTEN)
rsyslogd 12133    root    7u  IPv6  23974      0t0  TCP *:514 (LISTEN)

# cat /etc/rsyslog.conf
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$ModLoad ommysql
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$AllowedSender UDP, 192.168.1.0/24
$AllowedSender TCP, 192.168.1.0/24

$WorkDirectory /data/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName dbq
$ActionResumeRetryCount -1

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

:msg, !contains, "dhcpd" ~
:msg, contains, "dhcpd" :ommysql:127.0.0.1,Syslog,dbuser,dbpasswd

mysql> SHOW TABLES;
+------------------------+
| Tables_in_Syslog       |
+------------------------+
| SystemEvents           |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec)

mysql> DESC SystemEvents;
+--------------------+------------------+------+-----+---------+----------------+
| Field              | Type             | Null | Key | Default | Extra
         |
+--------------------+------------------+------+-----+---------+----------------+
| ID                 | int(10) unsigned | NO   | PRI | NULL    |
auto_increment |
| CustomerID         | bigint(20)       | YES  |     | NULL    |
         |
| ReceivedAt         | datetime         | YES  |     | NULL    |
         |
| DeviceReportedTime | datetime         | YES  |     | NULL    |
         |
| Facility           | smallint(6)      | YES  |     | NULL    |
         |
| Priority           | smallint(6)      | YES  |     | NULL    |
         |
| FromHost           | varchar(60)      | YES  |     | NULL    |
         |
| Message            | text             | YES  |     | NULL    |
         |
| NTSeverity         | int(11)          | YES  |     | NULL    |
         |
| Importance         | int(11)          | YES  |     | NULL    |
         |
| EventSource        | varchar(60)      | YES  |     | NULL    |
         |
| EventUser          | varchar(60)      | YES  |     | NULL    |
         |
| EventCategory      | int(11)          | YES  |     | NULL    |
         |
| EventID            | int(11)          | YES  |     | NULL    |
         |
| EventBinaryData    | text             | YES  |     | NULL    |
         |
| MaxAvailable       | int(11)          | YES  |     | NULL    |
         |
| CurrUsage          | int(11)          | YES  |     | NULL    |
         |
| MinUsage           | int(11)          | YES  |     | NULL    |
         |
| MaxUsage           | int(11)          | YES  |     | NULL    |
         |
| InfoUnitID         | int(11)          | YES  |     | NULL    |
         |
| SysLogTag          | varchar(60)      | YES  |     | NULL    |
         |
| EventLogType       | varchar(60)      | YES  |     | NULL    |
         |
| GenericFileName    | varchar(60)      | YES  |     | NULL    |
         |
| SystemID           | int(11)          | YES  |     | NULL    |
         |
| processid          | varchar(60)      | NO   |     |         |
         |
+--------------------+------------------+------+-----+---------+----------------+
25 rows in set (0.00 sec)

- - - < s n i p > - - -

Thank you in advance.

Regards,

GNUbie
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to