Hi everyone,
I've inherited an rsyslog setup that works well but I've been tasked with
forwarding Linux logs from the central logging server to a remote syslog
server for a team to run additional analysis.
Within the Linux.conf template I'm needing to use an action to forward the
logs but Omfwd didn't seem to work at all and I'm not sure how I can
troubleshoot it.
I'm currently using Omudspoof but the remote syslog server is showing the
source of the logs as the hostname of the sending syslog server, not the
hostname of the incoming logs to the central syslog server.
The setup is running Rsyslog v8.25.0 configured with multiple templates like
so:
rsyslog.conf
rsyslog.d/
--Base.conf
--Windows.conf
--Linux.conf
Here's the layout of the Linux.conf template:
module(load="omudpspoof")
template(name="nixLogs" type="string"
string="/syslog/linux/%HOSTNAME%/%HOSTNAME%_%$MONTH%%$DAY%_%$HOUR%_linix.log")
template(name="spoofaddr" type="string" string="%hostname%")
if $hostname startswith "lin00" or $hostname startswith "lnxsrv"
then {
action(type="omfile"
DirCreateMode="0750"
DirGroup="logteam"
FileCreateMode="0740"
FileGroup="logteam"
DynaFile="nixLogs")
& action(type="omudpspoof" Target="192.168.1.25"
sourcetemplate="spoofaddr")
& stop
}
--
View this message in context:
http://rsyslog-users.1305293.n2.nabble.com/Log-forwarding-with-Omudpspoof-tp7592247.html
Sent from the rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
