Hi there,
I am looking into the following configuration but a bit unsure about
some implementation details...
Several originators send syslog messages to a rsyslog relay which shall
do the following tasks:
1) Write every log message to separate files based on hostnames.
2) Apply a few filters and send remaining syslog messages to central
SIEM solution.
3) In parallel to 2) apply a different set of filters (not necessarily a
superset) and write remaining syslog messages to a separate file for
realtime monitoring. (I'll just tail this one.)
Concatenating steps 2 and 3 within a single ruleset is straightforward
but only works under the assumption that the filters applied in 2 are a
subset of the filters applied in 3.
This brings me to my questions: Is there a way to process a single
syslog messages in multiple rulesets (action chains) in parallel without
affecting each other? Is "call()" the right way to go, like use "call
rs_siem; call rs_rtmon" inside a ruleset rs_main?
If that isn't possible what would be the best alternative to achieve
this? From the top of my head I could think about sending each message
twice for the two rulesets rs_siem and rs_rtmon...
Best,
Matthias
PS: Apologies if this question has been asked and answered on the
mailinglist but I didn't manage to find it. Please simply point to the
email thread so I can digest the info from there.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
