On Wed, 3 Apr 2013, Josh Bitto wrote:
I have the same setup. I have my central rsyslog server and splunk server on
the same box. I'm having all clients send logs and having rsyslog put them in
different log locations.
Then on the splunk side I'm just indexing those file locations. What method
are you using to throw away all other logs?
In the configuration, before you write the logs out to disk, add lines that
match logs that you don't want to log with the action '~', that will cause
rsyslog to stop looking for more rules to match for that log entry
I've not heard of a sinkhole directory.
It's very similar to a monitor directory, but with a sinkhole, Splunk will
delete the file after it's indexed it. That way you don't have to figure out
what files have and have not been indexed if Splunk has stopped at some point,
and Splunk doesn't have to check the stats of large numbers of files that
accumulate when trying to figure out what to work on.
David Lang
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Wednesday, April 03, 2013 2:58 PM
To: rsyslog-users
Subject: Re: [rsyslog] Allocating certain logs to certain files
What I do with splunk is that I have my clients send all the logs up to my
central server, and Splunk server. I then have the rsyslog on the Splunk server
write the logs that I want splunk to index into a file and then throw all the
other logs away. I roll the log from where it's written into a splunk sinkhole
directory once a minute.
David Lang
On Wed, 3 Apr 2013, Josh
Bitto wrote:
Would these if then statements work for windows events?
Basically here is my goal...
I want to use splunk as a Management tool for my logs (free version is 500 mb
volume/24 hour period) ....but I want rsyslog to forward log files to my
central log server.
In order to stay under that 500mb limit for the whole network. I want to
determine what is an acceptable exclusion for indexing data from a file source.
The file source would be what you just helped me with.
The coding that I had before made my log files for messages huge.
So could you help me understand what $syslogseverity <= '6' means?
I want to log the important stuff and exlude stuff that doesn't really matter
for both linux and windows logs.
Note: the windows side will be much easier because there are applications that
allow you to send logs of whatever log file you want. The linux not so much.
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo
Veglienzone
Sent: Wednesday, April 03, 2013 12:30 PM
To: rsyslog-users
Subject: Re: [rsyslog] Allocating certain logs to certain files
In that case you only need one rule, something like this should work
1. if \
2. $source != 'loghost.example.com' \
3. then *.* ?DYNlogfile
On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto <jbi...@onlineschool.ca> wrote:
Oh ok thank you! That worked!
I'm sorry I keep asking questions....
So in the If, then statements where it says
if \
$source != 'syslog.onlineschool.ca' \
and \
$syslogseverity <= '6' \
--------------------------------------------------------------
The very last line of the above $syslogseverity<= '6'\
Does this only log certain message types? Or if I wanted to have
everything what would I put?
(not a programmer)
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com [mailto:
rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone
Sent: Wednesday, April 03, 2013 12:07 PM
To: rsyslog-users
Subject: Re: [rsyslog] Allocating certain logs to certain files
loghost is the name of the machine doing the central logging with
rsyslog which I want to keep it's logs under the default location
$source != 'loghost.example.com'
means every hosts but loghost.example.com
On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto <jbi...@onlineschool.ca> wrote:
On your if, then statements where it says $source != '
loghost.example.com'
\
What would I replace it with? %hostname%
The reason I ask is that there will be many host names or IP
addresses that I'm forwarding logs from.
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com [mailto:
rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone
Sent: Wednesday, April 03, 2013 11:47 AM
To: rsyslog-users
Subject: Re: [rsyslog] Allocating certain logs to certain files
Josh,
This is what I'm currently using, http://pastebin.com/tsTHdsZY
Starting at line 116 you'll find what you want
On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto <jbi...@onlineschool.ca>
wrote:
Ok here is my issue...on my cental rsyslog server I have in my
config file the following....
# This one is the template to generate the log filename
dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
# Log all messages to the dynamically formed file. Now each clients
log (192.168.1.2, 192.168.1.3,etc...), will be under a separate
directory which is formed by the template FILENAME.
*.* ?FILENAME
That puts an output to my /var/log/<host IP>/syslog.log file.
Essentially what I want is to have the same thing except separate
files for each log file /Dev/console /var/log/messages
/var/log/secure/ -/var/log/maillog /var/log/cron *.emerg
/var/log/spooler /var/log/boot.log
How would I add that to the config to make it happen?
The other thing....I still can't get httpd logs from remote servers
to forward to my central rsyslog server.
Josh
Joshua Bitto
Information Technologist
KCC
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.