Hello Rainer, Thank you for the tip. I have it working now.
Regards, GNUbie On Thu, Nov 8, 2012 at 11:51 PM, Rainer Gerhards <[email protected]> wrote: > The best way to achieve this is to create a dedicated ruleset that binds to > the input listener and processes these remote logs like you need it. Doc is > here: > > http://www.rsyslog.com/doc/multi_ruleset.html > > Rainer > >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of GNUbie >> Sent: Thursday, November 08, 2012 4:26 PM >> To: [email protected] >> Subject: [rsyslog] Discard incoming logs from remote clients except for >> DHCP related logs >> >> Hello all, >> >> I am currently in the process of setting up a centralized log server >> mainly for DHCP related logs. The clients are using syslog and >> syslog-ng and are going to send *.* to the centralized log server that >> I am currently working on. I am seeking your advice on how to solve my >> problem. >> >> How am I able to properly configure my centralized log server in such >> a way that all the logs that are being received coming from the remote >> clients are going to be ignored except for all DHCP related logs? And >> also since my centralized log server is expecting only to log only >> those DHCP related logs, I want them to be stored into MySQL so that >> it will only be the records that will be read/rendered from the >> LogAnalyzer. >> >> Below is the snippet from my centralized log server for your >> information. >> >> - - - < s n i p > - - - >> >> # uname -r >> 2.6.32-279.11.1.el6.x86_64 >> >> # cat /etc/redhat-release >> CentOS release 6.3 (Final) >> >> # rpm -qa | grep -i rsyslog >> rsyslog-mysql-5.8.10-2.el6.x86_64 >> rsyslog-5.8.10-2.el6.x86_64 >> >> # rpm -qa | grep -i "^mysql" >> mysql-5.1.61-4.el6.x86_64 >> mysql-utilities-1.1.0-1.el6.noarch >> mysql-server-5.1.61-4.el6.x86_64 >> mysql-libs-5.1.61-4.el6.x86_64 >> mysql-connector-python-1.0.7-1.el6.noarch >> mysqltuner-1.1.1-1.el6.noarch >> >> # lsof -ni -P | egrep -i "mysql|rsyslog" >> mysqld 11972 mysql 10u IPv4 23334 0t0 TCP 127.0.0.1:3306 >> (LISTEN) >> rsyslogd 12133 root 3u IPv4 23965 0t0 UDP *:514 >> rsyslogd 12133 root 4u IPv6 23966 0t0 UDP *:514 >> rsyslogd 12133 root 6u IPv4 23973 0t0 TCP *:514 (LISTEN) >> rsyslogd 12133 root 7u IPv6 23974 0t0 TCP *:514 (LISTEN) >> >> # cat /etc/rsyslog.conf >> $ModLoad imuxsock >> $ModLoad imklog >> $ModLoad imudp >> $UDPServerRun 514 >> $ModLoad imtcp >> $InputTCPServerRun 514 >> $ModLoad ommysql >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> $IncludeConfig /etc/rsyslog.d/*.conf >> $AllowedSender UDP, 192.168.1.0/24 >> $AllowedSender TCP, 192.168.1.0/24 >> >> $WorkDirectory /data/rsyslog >> $ActionQueueType LinkedList >> $ActionQueueFileName dbq >> $ActionResumeRetryCount -1 >> >> *.info;mail.none;authpriv.none;cron.none >> /var/log/messages >> authpriv.* /var/log/secure >> mail.* - >> /var/log/maillog >> cron.* /var/log/cron >> *.emerg * >> uucp,news.crit >> /var/log/spooler >> local7.* >> /var/log/boot.log >> >> :msg, !contains, "dhcpd" ~ >> :msg, contains, "dhcpd" :ommysql:127.0.0.1,Syslog,dbuser,dbpasswd >> >> mysql> SHOW TABLES; >> +------------------------+ >> | Tables_in_Syslog | >> +------------------------+ >> | SystemEvents | >> | SystemEventsProperties | >> +------------------------+ >> 2 rows in set (0.00 sec) >> >> mysql> DESC SystemEvents; >> +--------------------+------------------+------+-----+---------+------- >> ---------+ >> | Field | Type | Null | Key | Default | Extra >> | >> +--------------------+------------------+------+-----+---------+------- >> ---------+ >> | ID | int(10) unsigned | NO | PRI | NULL | >> auto_increment | >> | CustomerID | bigint(20) | YES | | NULL | >> | >> | ReceivedAt | datetime | YES | | NULL | >> | >> | DeviceReportedTime | datetime | YES | | NULL | >> | >> | Facility | smallint(6) | YES | | NULL | >> | >> | Priority | smallint(6) | YES | | NULL | >> | >> | FromHost | varchar(60) | YES | | NULL | >> | >> | Message | text | YES | | NULL | >> | >> | NTSeverity | int(11) | YES | | NULL | >> | >> | Importance | int(11) | YES | | NULL | >> | >> | EventSource | varchar(60) | YES | | NULL | >> | >> | EventUser | varchar(60) | YES | | NULL | >> | >> | EventCategory | int(11) | YES | | NULL | >> | >> | EventID | int(11) | YES | | NULL | >> | >> | EventBinaryData | text | YES | | NULL | >> | >> | MaxAvailable | int(11) | YES | | NULL | >> | >> | CurrUsage | int(11) | YES | | NULL | >> | >> | MinUsage | int(11) | YES | | NULL | >> | >> | MaxUsage | int(11) | YES | | NULL | >> | >> | InfoUnitID | int(11) | YES | | NULL | >> | >> | SysLogTag | varchar(60) | YES | | NULL | >> | >> | EventLogType | varchar(60) | YES | | NULL | >> | >> | GenericFileName | varchar(60) | YES | | NULL | >> | >> | SystemID | int(11) | YES | | NULL | >> | >> | processid | varchar(60) | NO | | | >> | >> +--------------------+------------------+------+-----+---------+------- >> ---------+ >> 25 rows in set (0.00 sec) >> >> - - - < s n i p > - - - >> >> Thank you in advance. >> >> Regards, >> >> GNUbie >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >> if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
