You can do this pretty easily by having a ruleset with two actions in it, e.g:
ruleset ( name = dupe_logs ) {
action (
name = "send_to_file"
type = "omfile"
file = "/logs/mylog.log"
)
action (
name = "send_to_other_log_collector"
type = "omfwd"
target = "my_collector.mybusiness.com"
port = "12345"
)
}
Andrew Griffin
Apple
ETS / Integration Services
1 Infinite Loop, 175-DR
Cupertino, CA 95014, USA
Office 408-783-8348
iPhone 916-897-4335
[email protected]
This email and any attachments may be privileged and may contain confidential
information intended only for the recipient(s) named above. Any other
distribution, forwarding, copying or disclosure of this message is strictly
prohibited. If you have received this email in error, please notify me
immediately by telephone or return email, and delete this message from your
system.
> On Sep 20, 2017, at 8:45 AM, Don M Subscriptions via rsyslog
> <[email protected]> wrote:
>
> Greetings.
>
> We have a firewall and some other sources sending data to our syslog server
> and we would like to forward the original message from one of the input
> sources to a supplemental log collector. In other words, I would like to take
> logs from 192.168.1.1 and send it to two destinations.
>
> Googling this tends to get articles on basic setup.
>
> I'd imagine that I need a "fron host" type of a test in an if statement, and
> send it within a set of curly braces?
>
> Thanks in advance for help.
>
> --
> -----
>
> Don Murdoch, Director, Security Services @ SLAIT
> Book site: www.blueteamhandbook.com
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
