[rsyslog] Rsyslog Windows Clients With RELP

Mon, 13 Oct 2014 03:49:48 -0700 

Hi,

I'm trying to configure Windows clients to forward their logs via RELP to a 
centralized Debian based Rsyslog Server. But, I had mixed success :

- When configured the client to utilize TCP/514, it creates the subfolder (e.g. 
/var/log/HOSTS/test01.abc.com) & forwards few logs. Then stops forwarding them, 
suddenly, without any apparent reason.

- When configured the client to utilize RELP/20514, in the other hand, creates 
event types (But not with hostname as supposed to be. e.g. Error, Server, 
Engine, Domain) as subfolders with relevant logs and keeps working without 
suddenly stopping as above. See example below :


root@syslog01<mailto:root@helsyslog01>:~# ls -al /var/log/HOSTS/
total 128
drwx------ 32 root root 4096 Oct 13 12:45 .
drwxr-xr-x  8 root root 4096 Oct  7 06:25 ..
drwx------  3 root root 4096 Oct 13 12:37 A
drwx------  3 root root 4096 Oct 13 12:20 Account
drwx------  3 root root 4096 Oct 13 11:34 An
drwx------  3 root root 4096 Oct 13 12:11 Attempting
drwx------  3 root root 4096 Oct 13 11:34 BITS
drwx------  3 root root 4096 Oct 13 12:38 Checking
drwx------  3 root root 4096 Oct 13 12:43 Completed
drwx------  3 root root 4096 Oct 13 12:19 Computer
drwx------  3 root root 4096 Oct 13 12:37 Cryptographic
drwx------  3 root root 4096 Oct 13 12:18 Domain
drwx------  3 root root 4096 Oct 13 11:48 Engine
drwx------  3 root root 4096 Oct 13 11:35 Error
drwx------  3 root root 4096 Oct 13 12:35 Estimated
drwx------  3 root root 4096 Oct 13 12:41 Finished
drwx------  3 root root 4096 Oct 13 12:14 Group
drwx------  3 root root 4096 Oct  6 15:47 test01.abc.com
drwx------  3 root root 4096 Oct 13 12:36 Key
drwx------  3 root root 4096 Oct 13 12:33 List
drwx------  3 root root 4096 Oct 13 12:12 Making
drwx------  3 root root 4096 Oct 13 12:45 Next
drwx------  3 root root 4096 Oct 13 11:34 Provider
drwx------  3 root root 4096 Oct 13 12:13 Retrieved
drwx------  3 root root 4096 Oct 13 12:15 Retrieving
drwx------  3 root root 4096 Oct 13 11:35 RSyslog
drwx------  3 root root 4096 Oct 13 12:39 Service
drwx------  3 root root 4096 Oct 13 11:37 Special
drwx------  3 root root 4096 Oct 13 12:10 Starting
drwx------  3 root root 4096 Oct 13 11:37 Task
drwx------  3 root root 4096 Oct 13 11:35 The


- Also, all the Linux clients that configured to utilize RELP/20514, work fine 
as supposed to be : Subfolders create per host and separate logs per service.


Below is the Rsyslog server's configuration (/etc/rsyslog.conf) :

$ModLoad imrelp
$InputRELPServerRun 20514

$template DailyRemoteLogs,\
        "/var/log/HOSTS/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%programname%.log"

:inputname, isequal, "imrelp"           -?DailyRemoteLogs



In a nutshell, what else needs to be done (on the client and/or server side) in 
order to get these logs in host based subfolders (Just like Linux clients) 
instead of event type based ones ?

Thanks,


Tarkan
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to