It will probably be easier to show you what it currently looks like and what my current draft looks like. The draft pretty much shows what I'm trying to do since most of the new stuff doesn't exist since this is a new box: Current Default rsyslog.conf file:$ModLoad imuxsock $ModLoad imklog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf $WorkDirectory /var/lib/rsyslog
*.emerg * *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron uucp,news.crit /var/log/spooler local7.* /var/log/boot.log kern.debug /var/log/kernlog *.debug /var/log/everything $ActionQueueType LinkedList $ActionQueueFileName qf_tigger $ActionQueueMaxDiskSpace 128m $ActionQueueSaveOnShutdown on $ActionResumeRetryCount -1 *.info @tigger $ActionQueueType LinkedList $ActionQueueFileName qf_pooh $ActionQueueMaxDiskSpace 128m $ActionQueueSaveOnShutdown on $ActionResumeRetryCount -1 *.info @pooh $ActionQueueType LinkedList $ActionQueueFileName qf_eyore $ActionQueueMaxDiskSpace 128m $ActionQueueSaveOnShutdown on $ActionResumeRetryCount -1 *.info @eyore $ActionQueueType LinkedList $ActionQueueFileName qf_piglet $ActionQueueMaxDiskSpace 128m $ActionQueueSaveOnShutdown on $ActionResumeRetryCount -1 *.info @piglet I am taking those defaults for the local and remote logging, updating them to the modern format, as well as adding information for what I want to happen for the logs being sent to this box. I basically worked from the included default rsyslog.conf file: #### MODULES #### module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd) #module(load"immark") # provides --MARK-- message capability module(load="imudp") # UDP syslog reception for parameters see http://www.rsyslog.com/doc/imudp.html input(type="imudp" port="514") #turn on UDP listener for rsyslog # Provides TCP syslog reception for parameters see http://www.rsyslog.com/doc/imtcp.html #module(load="imtcp") # needs to be done just once #input(type="imtcp" port="514") #### GLOBAL DIRECTIVES #### # Use RFC 5424 Syslog format $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format # Debug format is RSYSLOG_DebugFormat only use for testing $WorkDirectory /var/lib/rsyslog # where to place spool files /* Sets timezone offset based on timezone string */ timezone(id="UTC" offset="+00:00") timezone(id="PST" offset="-08:00") timezone(id="PDT" offset="-07:00") $IncludeConfig /etc/rsyslog.d/ # Include all config files in /etc/rsyslog.d/ #### Templates #### template(name="TESTtpl" type="string" string="%timestamp% %msg%\n") #### RULES #### ruleset ( name="q_default" queue.maxdiskspace="192m" queue.type="LinkedList" # use asynchronous processing queue.saveonshutdown="on" # save in-memory data if rsyslog shuts down action.resumeretrycount="-1" #retry indefinitely on failure $RulesetCreateMainQueue on ) # Log all kernel messages to the console. Logging much else clutters up the screen. #kern.* /dev/console #### Unix Defaults #### *.emerg :omusrmsg:* # Everybody gets emergency messages *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure # The authpriv file has restricted access. mail.* /var/log/maillog # Log all the mail messages in one place. cron.* /var/log/cron # Log cron stuff uucp,news.crit /var/log/spooler # Save news errors of level crit and higher in a special file. local7.* /var/log/boot.log # Save boot messages also to boot.log kern.debug /var/log/kernlog *.debug /var/log/debug *.* /var/log/catchall ### Local Defaults #### #if prifilt("*.info") *.info action(type="omfwd" target="tigger" queue.filename="qf_tigger" ruleset="q_default") & action(type="omfwd" target="pooh" queue.filename="qf_pooh" ruleset="q_default") & action(type="omfwd" target="piglet" queue.filename="qf_piglet" ruleset="q_default") & action(type="omfwd" target="eyore" queue.filename="qf_eyore" ruleset="q_default") /* ### begin forwarding rule ### The statement between the begin ... end define a SINGLE forwarding rule. They belong together, do NOT split them. If you create multiple forwarding rules, duplicate the whole block! Remote Logging (we use TCP for reliable delivery) An on-disk queue is created for this action. If the remote host is down, messages are spooled to disk and sent when it is up again. $ActionQueueFileName fwdRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @@remote-host:514 ### end of the forwarding rule ### */ So while I have defined TESTtpl I don't really know how to call it. I want to send all external udp logs that are equal to auth.alert /var/log/alerts using the TESTtpl template. Based on what I know, the basic way to do that would be:auth.=alert /var/log/alerts;TESTtplbut eventually I will need to take %msg% and parse it for the hostname as the true hostname is within the payload as the header only has the hostname for the forwarder. I noticed you added the {} in the sample I added. Are they supposed to be used for things not withing the ruleset(), action(), module(), timezone(), input(), output() functions? -Nate _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
