On Wed, 24 Apr 2019, Gorman, Kevin via rsyslog wrote:
An earlier mail had a suggestion to add a name to the *.* action. That looks
easy enough since name is an action parameter.
by the way, with 8.x you can leave out the *.*, you could just to
call linux_forward
Unfortunately, my action is in a ruleset, so everything gets the same name. It
would be useful to add some parameter to the inputs to ID them, or add a
property to the messages in the inputs. I haven't found a way to do either but
I have been studying the docs. This is on the old 8.24 version used on RHEL 7
and I can't change it.
The idea is to have something to correlate messages with on the remote end,
such as a custom message property.
you set the tag on the messages as part of your imfile config.
what type of things are you trying to correlate on? can you give some example
messages?
one thing I like to do is to have my relays do message parsing and then pass
json in the body of the message ($! setting $!msg = $msg)), and I reserve the
namespace 'trusted' for the relays to add metadata to the log message.
on the receiving server, you can then parse the message body and retrieve all
the variables that were set, including the original msg body so you can recreate
the original message as/if needed.
David Lang
module(load="imfile" mode="inotify")
global (
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)
# VIPS
# CO 2001:4888:a05:3161:e0:9:0:100
# TX 2001:4888:a03:3161:c0:9:0:100
# SD 2001:4888:a00:3161:f0:9:0:100
# Vendor fd00:0:a05:3161:e0:9::100
# Dublin
ruleset(
name="linux_forward"
queue.type="LinkedList"
queue.filename="FwdRule0"
queue.maxDiskSpace="1g"
queue.saveOnShutdown="on"
) {
action(
type="omfwd"
name="all_logs"
target="2001:4888:a00:3161:f0:9:0:100" # logserver VIP
protocol="tcp"
port="5544"
action.resumeRetryCount="-1"
)
}
*.* call linux_forward
input(
type="imfile"
ruleset="linux_forward"
tag="ansible"
file="/var/log/ansible.log"
escapeLF="on"
)
input(
type="imfile"
ruleset="linux_forward"
tag="audit"
file="/var/log/audit.log"
escapeLF="on"
)
input(
type="imfile"
ruleset="linux_forward"
tag="iptables"
file="/var/log/iptables.log"
escapeLF="on"
)
input(
type="imfile"
ruleset="linux_forward"
tag="firewalld"
file="/var/log/firewalld"
escapeLF="on"
)
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
