Hi,
I am cleaning up/consolidating my config file and wonder if anyone would
be willing to give me some advice? Is their a better way to manage the
if blocks and condense them into a single statement so it is cleaner to
read? Another thing I am looking to do is setup TLS and just can't seem
to get the info strait as to how the system should be configured within
the confines of my current config setup? This seems to be the only
document I can find
http://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html.
Since that hasn't been updated since 2008, I was wondering if there was
a newer document or if some of those features have been added into the
newer rainer script? Otherwise how would I implement that within my
current config?
And are there any Open Source Windows clients that support RELP?
Thanks for any help please see full config below running v8.14.
#### configuration file ####
# note that most of this config file uses old-style format.
# For more advanced things, RainerScript configuration is suggested.
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
#Set max messgae size for large syslog messages
$MaxMessageSize 64k
#This makes sense adding this part in
*#### Enable SSL/TLS Mode ####**
**$DefaultNetstreamDriver gtls # use gtls netstream driver**
**$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.crt**
**$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/machine-cert.crt**
**$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/machine-key.key*
#### MODULES ####
# for parameters see http://www.rsyslog.com/doc
module(load="impstats")
$ModLoad imuxsock # provides support for local system
logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support
(previously done by rklogd)
#module(load"immark") # provides --MARK-- message capability
module(load="imtcp") # Provides TCP syslog reception needs
to be done just once
#module(load="imudp") # Provides UDP syslog reception
needs to be done just once
#### Inputs ####
input(type="imtcp" port="514") # accept connection on port tcp 514
input(type="imtcp" port="11514"
*#do I add this in here?*
*StreamDriver.mode="1"
StreamDriver.authmode="x509/**certvalid"*
) # accept tls connection on port tcp 11514
#input(type="imudp" port="514") # accept connection on port udp 514
#### GLOBAL DIRECTIVES ####
#Preserve Fully Qualified Domain Name
$PreserveFQDN on
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# default location for work (spool) files
$WorkDirectory /var/spool/rsyslog
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### Templates ####
template (name="RemoteMsg" type="string"
string="/var/log/rsyslog/%HOSTNAME:::lowercase%.log")
template (name="GRAYLOGRFC5424" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339%
%HOSTNAME:::lowercase% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA%
%msg%\n"
)
template (name="ESXTIMEFIX" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339%
%HOSTNAME:::lowercase% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA%
%msg%\n"
)
* #where do I add the output rules for tls?*
### RULES for where to send Log Files ####
if $hostname == 'host00.domain.tld' then {
*.* ?RemoteMsg
*.* @@node-master.domain.tld:10514;ESXTIMEFIX
stop
}
if $hostname == 'host01.domain.tld' then {
*.* ?RemoteMsg
*.* @@node-master.domain.tld:10514;ESXTIMEFIX
stop
}
if $hostname == 'host02.domain.tld' then {
*.* ?RemoteMsg
*.* @@node-master.domain.tld:10514;ESXTIMEFIX
stop
}
if $hostname == 'host03.domain.tld' then {
*.* ?RemoteMsg
*.* @@node-master.domain.tld:10514;ESXTIMEFIX
stop
}
if $hostname == 'host04.domain.tld' then {
*.* ?RemoteMsg
*.* @@node-master.domain.tld:10514;ESXTIMEFIX
stop
}
if $hostname == 'host05.domain.tld' then {
*.* ?RemoteMsg
*.* @@node-master.domain.tld:10514;ESXTIMEFIX
stop
}
# send everything to log parser
action(type="omfwd"
target="node-master.domain.tld"
port="10514"
protocol="tcp"
template="GRAYLOGRFC5424"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="wait_queue"
queue.size="1000000"
queue.type="LinkedList"
)
# sort the logs into standard files
if $fromhost-ip != "127.0.0.1" then {
*.* ?RemoteMsg
stop
}
# Log kernel messages to the console. Logging much else clutters up the
screen.
#kern.* /dev/console
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
