I actually just found that. It is helping out a lot as far as all the different terminology that this protocol uses.
Thanks Anyway! -----Original Message----- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Gregory Patmore Sent: Wednesday, April 03, 2013 1:56 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files I found this reference helpful: http://en.wikipedia.org/wiki/Syslog On Wed, Apr 3, 2013 at 4:02 PM, Rainer Gerhards <rgerha...@hq.adiscon.com>wrote: > I suggest > > http://www.monitorware.com/en/topics/syslog/ > > Especially the seminar. > > > Sent from phone, thus brief. > > > > -------- Ursprüngliche Nachricht -------- > Von: Josh Bitto <jbi...@onlineschool.ca> > Datum: 03.04.2013 21:49 (GMT+01:00) > An: rsyslog-users <rsyslog@lists.adiscon.com> > Betreff: Re: [rsyslog] Allocating certain logs to certain files > > > Okie dokie.... > > Would these if then statements work for windows events? > > Basically here is my goal... > > I want to use splunk as a Management tool for my logs (free version is > 500 mb volume/24 hour period) ....but I want rsyslog to forward log > files to my central log server. > In order to stay under that 500mb limit for the whole network. I want > to determine what is an acceptable exclusion for indexing data from a > file source. The file source would be what you just helped me with. > > The coding that I had before made my log files for messages huge. > > So could you help me understand what $syslogseverity <= '6' means? > > I want to log the important stuff and exlude stuff that doesn't really > matter for both linux and windows logs. > > Note: the windows side will be much easier because there are > applications that allow you to send logs of whatever log file you > want. The linux not so much. > > > > > > -----Original Message----- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:30 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > In that case you only need one rule, something like this should work > > > 1. if \ > 2. $source != 'loghost.example.com' \ > 3. then *.* ?DYNlogfile > > > > > On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto <jbi...@onlineschool.ca> wrote: > > > Oh ok thank you! That worked! > > > > I'm sorry I keep asking questions.... > > > > So in the If, then statements where it says > > > > if \ > > $source != 'syslog.onlineschool.ca' \ > > and \ > > $syslogseverity <= '6' \ > > > > -------------------------------------------------------------- > > > > The very last line of the above $syslogseverity<= '6'\ > > > > Does this only log certain message types? Or if I wanted to have > > everything what would I put? > > > > (not a programmer) > > > > > > > > -----Original Message----- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 12:07 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > loghost is the name of the machine doing the central logging with > > rsyslog which I want to keep it's logs under the default location > > > > $source != 'loghost.example.com' > > means every hosts but loghost.example.com > > > > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto <jbi...@onlineschool.ca> > wrote: > > > > > On your if, then statements where it says $source != ' > > loghost.example.com' > > > \ > > > > > > What would I replace it with? %hostname% > > > > > > The reason I ask is that there will be many host names or IP > > > addresses that I'm forwarding logs from. > > > > > > > > > > > > -----Original Message----- > > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo > > > Veglienzone > > > Sent: Wednesday, April 03, 2013 11:47 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > > > Josh, > > > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > > Starting at line 116 you'll find what you want > > > > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > > > <jbi...@onlineschool.ca> > > wrote: > > > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > > config file the following.... > > > > > > > > # This one is the template to generate the log filename > > > > dynamically, depending on the client's IP address. > > > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > > > > > # Log all messages to the dynamically formed file. Now each > > > > clients log (192.168.1.2, 192.168.1.3,etc...), will be under a > > > > separate directory which is formed by the template FILENAME. > > > > *.* ?FILENAME > > > > > > > > > > > > That puts an output to my /var/log/<host IP>/syslog.log file. > > > > > > > > Essentially what I want is to have the same thing except > > > > separate files for each log file /Dev/console /var/log/messages > > > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > > > /var/log/spooler /var/log/boot.log > > > > > > > > How would I add that to the config to make it happen? > > > > > > > > The other thing....I still can't get httpd logs from remote > > > > servers to forward to my central rsyslog server. > > > > > > > > Josh > > > > > > > > > > > > > > > > > > > > Joshua Bitto > > > > Information Technologist > > > > KCC > > > > > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > > > > NOT POST if you DON'T LIKE THAT. > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: > > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you DON'T LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > > POST if you DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- --Gregory Patmore | Senior DevOps Engineerappssavvy <http://appssavvy.com/>594 Broadway Suite 207 | New York, NY 10012C | 732.492.4140 greg.patm...@appssavvy.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
