Re: [rsyslog] Complex forwarding and spoofing question

Wed, 30 Sep 2015 18:15:07 -0700 

On Thu, 1 Oct 2015, Randy Baca wrote:


I have a complex issue to resolve and I would like to use rsyslog for it.  
Hopefully someone has done this.



Currently we have a number of remote sites and each site has a single syslog 
server collecting events from multiple hosts.  We need to keep the flow going 
to the legacy syslog servers and also forward all events to a central server at 
one of the sites.  The legacy syslog servers need to stay running until several 
other projects get completed; maybe a year.



This is what we want to do.  We have pieces of it working but can't get 
everything at once.

 *   Set up rsyslog on the same server that is running the legacy service.
 *   Change the legacy service to run on udp/515.
 *   Configure rsyslog to receive on existing ports udp/tcp 514.  We are 
essentially injecting it between the sending hosts and the legacy service.
 *   Configure rsyslog to forward and spoof (omudpspoof) to 127.0.0.1 on 
udp/515.   We need the exact original message because of all the custom parsers 
written over the years.
 *   Add another action to forward all messages to the central location.  Some 
sites are not high bandwidth, so we will need compression, TCP for reliability, 
and spooling in case the link goes down or one of the endpoints reboots.
 *   The server at the central location will itself then forward to multiple 
services locally.

Is this do-able?  Can someone get me started with an example config?
it's doable, but you shouldn't need to do the spoofing. Spoofing is only needed if the receiving system ignores the text of the log message and instead uses the IP address in the packet. 

It's as simple as two outputs

@localhost:515
@remotesystem

or @@remotesystem if you want to use TCP forwarding

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to