Setup:
* Latest stable rsyslog from Ubuntu PPA
* 50-60 clients, sending to central receiver via omrelp (JSON payloads)
* About 5 clients, sending to central receiver via omfwd/tcp (standard
syslog)
I use a standard "client" configuration for all nodes, including a
central receiver that feeds into several downstream receivers (archival,
testing, Graylog). The standard configuration does a $$myhostname check
and if a match for the central receiver fails then the client forwards
its messages on to the central receiver.
I have a standard "server" configuration that is used on the central
receiver and two downstream receivers. A similar $$myhostname check is
made and if a match succeeds for the central receiver then messages are
forwarded on to the downstream receivers, otherwise if a match is made
for the test downstream receiver then a set of test rules are run. Both
downstream receivers forward their local messages back to the central
receiver.
The central receiver has a ruleset bound to imrelp that processes the
JSON payloads created on the rsyslog client systems. Another ruleset is
bound to 514/tcp and 514/udp that processes standard syslog messages.
I'd like to get the local messages from the central receiver back into
that same receiver. The way I have previously been doing this is by
calling the same ruleset that is bound to imrelp. This was accomplished
by way of a separate conf fragment that was only included on the
"server" nodes.
Because I'm attempting to use a standardized rsyslog configuration for
ALL nodes, I tossed that separate conf fragment and wrapped the imrelp
ruleset call in the $$myhostname check that is used on all client
systems. The conf file containing that imrelp ruleset is not present on
the client systems.
On those client systems this causes rsyslog to complain that the ruleset
cannot be found, even with the $$myhostname check in place that excludes
the ruleset from being called on the client systems.
I know that in the end if I wish to have this level of abstraction
(e.g., don't repeat myself, have a common "client" configuration) I will
probably have to look at one of the automation tools I've heard about
(Chef, Puppet, Terraform, etc), but I am trying for a smaller solution
for the time being.
How do others handle processing messages generated locally on their
central receivers? Do you just use the same forwarding rules/ruleset
that the clients use so that local messages on the receiver are
forwarded in via the imrelp interface?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
