I suggest http://www.monitorware.com/en/topics/syslog/
Especially the seminar. Sent from phone, thus brief. -------- Ursprüngliche Nachricht -------- Von: Josh Bitto <jbi...@onlineschool.ca> Datum: 03.04.2013 21:49 (GMT+01:00) An: rsyslog-users <rsyslog@lists.adiscon.com> Betreff: Re: [rsyslog] Allocating certain logs to certain files Okie dokie.... Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) ....but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity <= '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -----Original Message----- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then *.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto <jbi...@onlineschool.ca> wrote: > Oh ok thank you! That worked! > > I'm sorry I keep asking questions.... > > So in the If, then statements where it says > > if \ > $source != 'syslog.onlineschool.ca' \ > and \ > $syslogseverity <= '6' \ > > -------------------------------------------------------------- > > The very last line of the above $syslogseverity<= '6'\ > > Does this only log certain message types? Or if I wanted to have > everything what would I put? > > (not a programmer) > > > > -----Original Message----- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:07 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > loghost is the name of the machine doing the central logging with > rsyslog which I want to keep it's logs under the default location > > $source != 'loghost.example.com' > means every hosts but loghost.example.com > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto <jbi...@onlineschool.ca> wrote: > > > On your if, then statements where it says $source != ' > loghost.example.com' > > \ > > > > What would I replace it with? %hostname% > > > > The reason I ask is that there will be many host names or IP > > addresses that I'm forwarding logs from. > > > > > > > > -----Original Message----- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 11:47 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > Josh, > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > Starting at line 116 you'll find what you want > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto <jbi...@onlineschool.ca> > wrote: > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > config file the following.... > > > > > > # This one is the template to generate the log filename > > > dynamically, depending on the client's IP address. > > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > > > # Log all messages to the dynamically formed file. Now each > > > clients log (192.168.1.2, 192.168.1.3,etc...), will be under a > > > separate directory which is formed by the template FILENAME. > > > *.* ?FILENAME > > > > > > > > > That puts an output to my /var/log/<host IP>/syslog.log file. > > > > > > Essentially what I want is to have the same thing except separate > > > files for each log file /Dev/console /var/log/messages > > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > > /var/log/spooler /var/log/boot.log > > > > > > How would I add that to the config to make it happen? > > > > > > The other thing....I still can't get httpd logs from remote > > > servers to forward to my central rsyslog server. > > > > > > Josh > > > > > > > > > > > > > > > Joshua Bitto > > > Information Technologist > > > KCC > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > > POST if you DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.