The best way to achieve this is to create a dedicated ruleset that binds to the input listener and processes these remote logs like you need it. Doc is here:
http://www.rsyslog.com/doc/multi_ruleset.html Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of GNUbie > Sent: Thursday, November 08, 2012 4:26 PM > To: [email protected] > Subject: [rsyslog] Discard incoming logs from remote clients except for > DHCP related logs > > Hello all, > > I am currently in the process of setting up a centralized log server > mainly for DHCP related logs. The clients are using syslog and > syslog-ng and are going to send *.* to the centralized log server that > I am currently working on. I am seeking your advice on how to solve my > problem. > > How am I able to properly configure my centralized log server in such > a way that all the logs that are being received coming from the remote > clients are going to be ignored except for all DHCP related logs? And > also since my centralized log server is expecting only to log only > those DHCP related logs, I want them to be stored into MySQL so that > it will only be the records that will be read/rendered from the > LogAnalyzer. > > Below is the snippet from my centralized log server for your > information. > > - - - < s n i p > - - - > > # uname -r > 2.6.32-279.11.1.el6.x86_64 > > # cat /etc/redhat-release > CentOS release 6.3 (Final) > > # rpm -qa | grep -i rsyslog > rsyslog-mysql-5.8.10-2.el6.x86_64 > rsyslog-5.8.10-2.el6.x86_64 > > # rpm -qa | grep -i "^mysql" > mysql-5.1.61-4.el6.x86_64 > mysql-utilities-1.1.0-1.el6.noarch > mysql-server-5.1.61-4.el6.x86_64 > mysql-libs-5.1.61-4.el6.x86_64 > mysql-connector-python-1.0.7-1.el6.noarch > mysqltuner-1.1.1-1.el6.noarch > > # lsof -ni -P | egrep -i "mysql|rsyslog" > mysqld 11972 mysql 10u IPv4 23334 0t0 TCP 127.0.0.1:3306 > (LISTEN) > rsyslogd 12133 root 3u IPv4 23965 0t0 UDP *:514 > rsyslogd 12133 root 4u IPv6 23966 0t0 UDP *:514 > rsyslogd 12133 root 6u IPv4 23973 0t0 TCP *:514 (LISTEN) > rsyslogd 12133 root 7u IPv6 23974 0t0 TCP *:514 (LISTEN) > > # cat /etc/rsyslog.conf > $ModLoad imuxsock > $ModLoad imklog > $ModLoad imudp > $UDPServerRun 514 > $ModLoad imtcp > $InputTCPServerRun 514 > $ModLoad ommysql > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > $IncludeConfig /etc/rsyslog.d/*.conf > $AllowedSender UDP, 192.168.1.0/24 > $AllowedSender TCP, 192.168.1.0/24 > > $WorkDirectory /data/rsyslog > $ActionQueueType LinkedList > $ActionQueueFileName dbq > $ActionResumeRetryCount -1 > > *.info;mail.none;authpriv.none;cron.none > /var/log/messages > authpriv.* /var/log/secure > mail.* - > /var/log/maillog > cron.* /var/log/cron > *.emerg * > uucp,news.crit > /var/log/spooler > local7.* > /var/log/boot.log > > :msg, !contains, "dhcpd" ~ > :msg, contains, "dhcpd" :ommysql:127.0.0.1,Syslog,dbuser,dbpasswd > > mysql> SHOW TABLES; > +------------------------+ > | Tables_in_Syslog | > +------------------------+ > | SystemEvents | > | SystemEventsProperties | > +------------------------+ > 2 rows in set (0.00 sec) > > mysql> DESC SystemEvents; > +--------------------+------------------+------+-----+---------+------- > ---------+ > | Field | Type | Null | Key | Default | Extra > | > +--------------------+------------------+------+-----+---------+------- > ---------+ > | ID | int(10) unsigned | NO | PRI | NULL | > auto_increment | > | CustomerID | bigint(20) | YES | | NULL | > | > | ReceivedAt | datetime | YES | | NULL | > | > | DeviceReportedTime | datetime | YES | | NULL | > | > | Facility | smallint(6) | YES | | NULL | > | > | Priority | smallint(6) | YES | | NULL | > | > | FromHost | varchar(60) | YES | | NULL | > | > | Message | text | YES | | NULL | > | > | NTSeverity | int(11) | YES | | NULL | > | > | Importance | int(11) | YES | | NULL | > | > | EventSource | varchar(60) | YES | | NULL | > | > | EventUser | varchar(60) | YES | | NULL | > | > | EventCategory | int(11) | YES | | NULL | > | > | EventID | int(11) | YES | | NULL | > | > | EventBinaryData | text | YES | | NULL | > | > | MaxAvailable | int(11) | YES | | NULL | > | > | CurrUsage | int(11) | YES | | NULL | > | > | MinUsage | int(11) | YES | | NULL | > | > | MaxUsage | int(11) | YES | | NULL | > | > | InfoUnitID | int(11) | YES | | NULL | > | > | SysLogTag | varchar(60) | YES | | NULL | > | > | EventLogType | varchar(60) | YES | | NULL | > | > | GenericFileName | varchar(60) | YES | | NULL | > | > | SystemID | int(11) | YES | | NULL | > | > | processid | varchar(60) | NO | | | > | > +--------------------+------------------+------+-----+---------+------- > ---------+ > 25 rows in set (0.00 sec) > > - - - < s n i p > - - - > > Thank you in advance. > > Regards, > > GNUbie > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
