Re: [rsyslog] Allocating certain logs to certain files
On Wed, 3 Apr 2013, Josh Bitto wrote: I have the same setup. I have my central rsyslog server and splunk server on the same box. I'm having all clients send logs and having rsyslog put them in different log locations. Then on the splunk side I'm just indexing those file locations. What method are you using to throw away all other logs? In the configuration, before you write the logs out to disk, add lines that match logs that you don't want to log with the action '~', that will cause rsyslog to stop looking for more rules to match for that log entry I've not heard of a sinkhole directory. It's very similar to a monitor directory, but with a sinkhole, Splunk will delete the file after it's indexed it. That way you don't have to figure out what files have and have not been indexed if Splunk has stopped at some point, and Splunk doesn't have to check the stats of large numbers of files that accumulate when trying to figure out what to work on. David Lang -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Wednesday, April 03, 2013 2:58 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files What I do with splunk is that I have my clients send all the logs up to my central server, and Splunk server. I then have the rsyslog on the Splunk server write the logs that I want splunk to index into a file and then throw all the other logs away. I roll the log from where it's written into a splunk sinkhole directory once a minute. David Lang On Wed, 3 Apr 2013, Josh Bitto wrote: Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity <= '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity <= '6' \ -- The very last line of the above $syslogseverity<= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, d
Re: [rsyslog] Allocating certain logs to certain files
I have the same setup. I have my central rsyslog server and splunk server on the same box. I'm having all clients send logs and having rsyslog put them in different log locations. Then on the splunk side I'm just indexing those file locations. What method are you using to throw away all other logs? I've not heard of a sinkhole directory. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Wednesday, April 03, 2013 2:58 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files What I do with splunk is that I have my clients send all the logs up to my central server, and Splunk server. I then have the rsyslog on the Splunk server write the logs that I want splunk to index into a file and then throw all the other logs away. I roll the log from where it's written into a splunk sinkhole directory once a minute. David Lang On Wed, 3 Apr 2013, Josh Bitto wrote: > Would these if then statements work for windows events? > > Basically here is my goal... > > I want to use splunk as a Management tool for my logs (free version is 500 mb > volume/24 hour period) but I want rsyslog to forward log files to my > central log server. > In order to stay under that 500mb limit for the whole network. I want to > determine what is an acceptable exclusion for indexing data from a file > source. The file source would be what you just helped me with. > > The coding that I had before made my log files for messages huge. > > So could you help me understand what $syslogseverity <= '6' means? > > I want to log the important stuff and exlude stuff that doesn't really matter > for both linux and windows logs. > > Note: the windows side will be much easier because there are applications > that allow you to send logs of whatever log file you want. The linux not so > much. > > > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com > [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo > Veglienzone > Sent: Wednesday, April 03, 2013 12:30 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > In that case you only need one rule, something like this should work > > > 1. if \ > 2. $source != 'loghost.example.com' \ > 3. then*.* ?DYNlogfile > > > > > On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > >> Oh ok thank you! That worked! >> >> I'm sorry I keep asking questions >> >> So in the If, then statements where it says >> >> if \ >> $source != 'syslog.onlineschool.ca' \ >> and \ >> $syslogseverity <= '6' \ >> >> -- >> >> The very last line of the above $syslogseverity<= '6'\ >> >> Does this only log certain message types? Or if I wanted to have >> everything what would I put? >> >> (not a programmer) >> >> >> >> -Original Message- >> From: rsyslog-boun...@lists.adiscon.com [mailto: >> rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone >> Sent: Wednesday, April 03, 2013 12:07 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] Allocating certain logs to certain files >> >> loghost is the name of the machine doing the central logging with >> rsyslog which I want to keep it's logs under the default location >> >> $source != 'loghost.example.com' >> means every hosts but loghost.example.com >> >> >> On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: >> >>> On your if, then statements where it says $source != ' >> loghost.example.com' >>> \ >>> >>> What would I replace it with? %hostname% >>> >>> The reason I ask is that there will be many host names or IP >>> addresses that I'm forwarding logs from. >>> >>> >>> >>> -Original Message- >>> From: rsyslog-boun...@lists.adiscon.com [mailto: >>> rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone >>> Sent: Wednesday, April 03, 2013 11:47 AM >>> To: rsyslog-users >>> Subject: Re: [rsyslog] Allocating certain logs to certain files >>> >>> Josh, >>> >>> This is what I'm currently using, http://pastebin.com/tsTHdsZY >>> Starting at line 116 you'll find what you want >>> >>> >>> On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto >
Re: [rsyslog] Allocating certain logs to certain files
What I do with splunk is that I have my clients send all the logs up to my central server, and Splunk server. I then have the rsyslog on the Splunk server write the logs that I want splunk to index into a file and then throw all the other logs away. I roll the log from where it's written into a splunk sinkhole directory once a minute. David Lang On Wed, 3 Apr 2013, Josh Bitto wrote: Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity <= '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity <= '6' \ -- The very last line of the above $syslogseverity<= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log//syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mai
Re: [rsyslog] Allocating certain logs to certain files
Havent messed with windows yet so cant really say On Apr 3, 2013 6:37 PM, "Josh Bitto" wrote: > I'm sorry I should have clarifiedWindows events go to both locations > mentioned. > > > Could I add a rule that says... > > If \ > $source == 'somekind of windows identifier' \ > Then?DYNmessages > > > > Would that work? > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 2:31 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > The config I shared does that > On Apr 3, 2013 6:18 PM, "Josh Bitto" wrote: > > > Marcelo, > > > > Thank you for the help earlier. Now I have another question. I kept > > the first rules and now. I want to add a rule of sorts. > > > > When rsyslog receives upd traffic it not only is adding it to my > > /var/log/messages file but also to the > > /var/log/hosts//messages > > file as well. > > > > Is there a way for it to NOT log to the /var/log/messages and ONLY to > > the /var/log/hosts//messages? > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 12:30 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > In that case you only need one rule, something like this should work > > > > > >1. if \ > >2. $source != 'loghost.example.com' \ > >3. then*.* ?DYNlogfile > > > > > > > > > > On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto > wrote: > > > > > Oh ok thank you! That worked! > > > > > > I'm sorry I keep asking questions > > > > > > So in the If, then statements where it says > > > > > > if \ > > > $source != 'syslog.onlineschool.ca' \ > > > and \ > > > $syslogseverity <= '6' \ > > > > > > -- > > > > > > The very last line of the above $syslogseverity<= '6'\ > > > > > > Does this only log certain message types? Or if I wanted to have > > > everything what would I put? > > > > > > (not a programmer) > > > > > > > > > > > > -Original Message- > > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > > Sent: Wednesday, April 03, 2013 12:07 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > > > loghost is the name of the machine doing the central logging with > > > rsyslog which I want to keep it's logs under the default location > > > > > > $source != 'loghost.example.com' > > > means every hosts but loghost.example.com > > > > > > > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto > > wrote: > > > > > > > On your if, then statements where it says $source != ' > > > loghost.example.com' > > > > \ > > > > > > > > What would I replace it with? %hostname% > > > > > > > > The reason I ask is that there will be many host names or IP > > > > addresses that I'm forwarding logs from. > > > > > > > > > > > > > > > > -Original Message- > > > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo > > > > Veglienzone > > > > Sent: Wednesday, April 03, 2013 11:47 AM > > > > To: rsyslog-users > > > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > > > > > Josh, > > > > > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > > > Starting at line 116 you'll find what you want > > > > > > > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > > > > > > > wrote: > > > > > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > > >
Re: [rsyslog] Allocating certain logs to certain files
I'm sorry I should have clarifiedWindows events go to both locations mentioned. Could I add a rule that says... If \ $source == 'somekind of windows identifier' \ Then?DYNmessages Would that work? -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 2:31 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files The config I shared does that On Apr 3, 2013 6:18 PM, "Josh Bitto" wrote: > Marcelo, > > Thank you for the help earlier. Now I have another question. I kept > the first rules and now. I want to add a rule of sorts. > > When rsyslog receives upd traffic it not only is adding it to my > /var/log/messages file but also to the > /var/log/hosts//messages > file as well. > > Is there a way for it to NOT log to the /var/log/messages and ONLY to > the /var/log/hosts//messages? > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:30 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > In that case you only need one rule, something like this should work > > >1. if \ >2. $source != 'loghost.example.com' \ >3. then*.* ?DYNlogfile > > > > > On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > > > Oh ok thank you! That worked! > > > > I'm sorry I keep asking questions > > > > So in the If, then statements where it says > > > > if \ > > $source != 'syslog.onlineschool.ca' \ > > and \ > > $syslogseverity <= '6' \ > > > > -- > > > > The very last line of the above $syslogseverity<= '6'\ > > > > Does this only log certain message types? Or if I wanted to have > > everything what would I put? > > > > (not a programmer) > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 12:07 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > loghost is the name of the machine doing the central logging with > > rsyslog which I want to keep it's logs under the default location > > > > $source != 'loghost.example.com' > > means every hosts but loghost.example.com > > > > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto > wrote: > > > > > On your if, then statements where it says $source != ' > > loghost.example.com' > > > \ > > > > > > What would I replace it with? %hostname% > > > > > > The reason I ask is that there will be many host names or IP > > > addresses that I'm forwarding logs from. > > > > > > > > > > > > -Original Message- > > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo > > > Veglienzone > > > Sent: Wednesday, April 03, 2013 11:47 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > > > Josh, > > > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > > Starting at line 116 you'll find what you want > > > > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > > > > > wrote: > > > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > > config file the following > > > > > > > > # This one is the template to generate the log filename > > > > dynamically, depending on the client's IP address. > > > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > > > > > # Log all messages to the dynamically formed file. Now each > > > > clients log (192.168.1.2, 192.168.1.3,etc...), will be under a > > > > separate directory which is formed by the template FILENAME. > > > > *.* ?FILENAME > > > > > > > > > > > > That puts an output to my /var/log//syslog.log file. > > > > > > > >
Re: [rsyslog] Allocating certain logs to certain files
The config I shared does that On Apr 3, 2013 6:18 PM, "Josh Bitto" wrote: > Marcelo, > > Thank you for the help earlier. Now I have another question. I kept the > first rules and now. I want to add a rule of sorts. > > When rsyslog receives upd traffic it not only is adding it to my > /var/log/messages file but also to the /var/log/hosts//messages > file as well. > > Is there a way for it to NOT log to the /var/log/messages and ONLY to the > /var/log/hosts//messages? > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:30 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > In that case you only need one rule, something like this should work > > >1. if \ >2. $source != 'loghost.example.com' \ >3. then*.* ?DYNlogfile > > > > > On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > > > Oh ok thank you! That worked! > > > > I'm sorry I keep asking questions > > > > So in the If, then statements where it says > > > > if \ > > $source != 'syslog.onlineschool.ca' \ > > and \ > > $syslogseverity <= '6' \ > > > > -- > > > > The very last line of the above $syslogseverity<= '6'\ > > > > Does this only log certain message types? Or if I wanted to have > > everything what would I put? > > > > (not a programmer) > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 12:07 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > loghost is the name of the machine doing the central logging with > > rsyslog which I want to keep it's logs under the default location > > > > $source != 'loghost.example.com' > > means every hosts but loghost.example.com > > > > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto > wrote: > > > > > On your if, then statements where it says $source != ' > > loghost.example.com' > > > \ > > > > > > What would I replace it with? %hostname% > > > > > > The reason I ask is that there will be many host names or IP > > > addresses that I'm forwarding logs from. > > > > > > > > > > > > -Original Message- > > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > > Sent: Wednesday, April 03, 2013 11:47 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > > > Josh, > > > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > > Starting at line 116 you'll find what you want > > > > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > > wrote: > > > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > > config file the following > > > > > > > > # This one is the template to generate the log filename > > > > dynamically, depending on the client's IP address. > > > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > > > > > # Log all messages to the dynamically formed file. Now each > > > > clients log (192.168.1.2, 192.168.1.3,etc...), will be under a > > > > separate directory which is formed by the template FILENAME. > > > > *.* ?FILENAME > > > > > > > > > > > > That puts an output to my /var/log//syslog.log file. > > > > > > > > Essentially what I want is to have the same thing except separate > > > > files for each log file /Dev/console /var/log/messages > > > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > > > /var/log/spooler /var/log/boot.log > > > > > > > > How would I add that to the config to make it happen? > > > > > > > > The other thingI still can't get httpd logs from remote > > > > servers to forward to my central rsyslog server. >
Re: [rsyslog] Allocating certain logs to certain files
Marcelo, Thank you for the help earlier. Now I have another question. I kept the first rules and now. I want to add a rule of sorts. When rsyslog receives upd traffic it not only is adding it to my /var/log/messages file but also to the /var/log/hosts//messages file as well. Is there a way for it to NOT log to the /var/log/messages and ONLY to the /var/log/hosts//messages? -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > Oh ok thank you! That worked! > > I'm sorry I keep asking questions > > So in the If, then statements where it says > > if \ > $source != 'syslog.onlineschool.ca' \ > and \ > $syslogseverity <= '6' \ > > -- > > The very last line of the above $syslogseverity<= '6'\ > > Does this only log certain message types? Or if I wanted to have > everything what would I put? > > (not a programmer) > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:07 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > loghost is the name of the machine doing the central logging with > rsyslog which I want to keep it's logs under the default location > > $source != 'loghost.example.com' > means every hosts but loghost.example.com > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: > > > On your if, then statements where it says $source != ' > loghost.example.com' > > \ > > > > What would I replace it with? %hostname% > > > > The reason I ask is that there will be many host names or IP > > addresses that I'm forwarding logs from. > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 11:47 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > Josh, > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > Starting at line 116 you'll find what you want > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > wrote: > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > config file the following > > > > > > # This one is the template to generate the log filename > > > dynamically, depending on the client's IP address. > > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > > > # Log all messages to the dynamically formed file. Now each > > > clients log (192.168.1.2, 192.168.1.3,etc...), will be under a > > > separate directory which is formed by the template FILENAME. > > > *.* ?FILENAME > > > > > > > > > That puts an output to my /var/log//syslog.log file. > > > > > > Essentially what I want is to have the same thing except separate > > > files for each log file /Dev/console /var/log/messages > > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > > /var/log/spooler /var/log/boot.log > > > > > > How would I add that to the config to make it happen? > > > > > > The other thingI still can't get httpd logs from remote > > > servers to forward to my central rsyslog server. > > > > > > Josh > > > > > > > > > > > > > > > Joshua Bitto > > > Information Technologist > > > KCC > > > > > > > > > > > > ___ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIB
Re: [rsyslog] Allocating certain logs to certain files
I actually just found that. It is helping out a lot as far as all the different terminology that this protocol uses. Thanks Anyway! -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Gregory Patmore Sent: Wednesday, April 03, 2013 1:56 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files I found this reference helpful: http://en.wikipedia.org/wiki/Syslog On Wed, Apr 3, 2013 at 4:02 PM, Rainer Gerhards wrote: > I suggest > > http://www.monitorware.com/en/topics/syslog/ > > Especially the seminar. > > > Sent from phone, thus brief. > > > > Ursprüngliche Nachricht > Von: Josh Bitto > Datum: 03.04.2013 21:49 (GMT+01:00) > An: rsyslog-users > Betreff: Re: [rsyslog] Allocating certain logs to certain files > > > Okie dokie > > Would these if then statements work for windows events? > > Basically here is my goal... > > I want to use splunk as a Management tool for my logs (free version is > 500 mb volume/24 hour period) but I want rsyslog to forward log > files to my central log server. > In order to stay under that 500mb limit for the whole network. I want > to determine what is an acceptable exclusion for indexing data from a > file source. The file source would be what you just helped me with. > > The coding that I had before made my log files for messages huge. > > So could you help me understand what $syslogseverity <= '6' means? > > I want to log the important stuff and exlude stuff that doesn't really > matter for both linux and windows logs. > > Note: the windows side will be much easier because there are > applications that allow you to send logs of whatever log file you > want. The linux not so much. > > > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:30 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > In that case you only need one rule, something like this should work > > >1. if \ >2. $source != 'loghost.example.com' \ >3. then*.* ?DYNlogfile > > > > > On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > > > Oh ok thank you! That worked! > > > > I'm sorry I keep asking questions > > > > So in the If, then statements where it says > > > > if \ > > $source != 'syslog.onlineschool.ca' \ > > and \ > > $syslogseverity <= '6' \ > > > > -- > > > > The very last line of the above $syslogseverity<= '6'\ > > > > Does this only log certain message types? Or if I wanted to have > > everything what would I put? > > > > (not a programmer) > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 12:07 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > loghost is the name of the machine doing the central logging with > > rsyslog which I want to keep it's logs under the default location > > > > $source != 'loghost.example.com' > > means every hosts but loghost.example.com > > > > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto > wrote: > > > > > On your if, then statements where it says $source != ' > > loghost.example.com' > > > \ > > > > > > What would I replace it with? %hostname% > > > > > > The reason I ask is that there will be many host names or IP > > > addresses that I'm forwarding logs from. > > > > > > > > > > > > -Original Message- > > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo > > > Veglienzone > > > Sent: Wednesday, April 03, 2013 11:47 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > > > Josh, > > > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > > Starting at line 116 you'll find what you want > > > > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh B
Re: [rsyslog] Allocating certain logs to certain files
I found this reference helpful: http://en.wikipedia.org/wiki/Syslog On Wed, Apr 3, 2013 at 4:02 PM, Rainer Gerhards wrote: > I suggest > > http://www.monitorware.com/en/topics/syslog/ > > Especially the seminar. > > > Sent from phone, thus brief. > > > > Ursprüngliche Nachricht > Von: Josh Bitto > Datum: 03.04.2013 21:49 (GMT+01:00) > An: rsyslog-users > Betreff: Re: [rsyslog] Allocating certain logs to certain files > > > Okie dokie > > Would these if then statements work for windows events? > > Basically here is my goal... > > I want to use splunk as a Management tool for my logs (free version is 500 > mb volume/24 hour period) but I want rsyslog to forward log files to my > central log server. > In order to stay under that 500mb limit for the whole network. I want to > determine what is an acceptable exclusion for indexing data from a file > source. The file source would be what you just helped me with. > > The coding that I had before made my log files for messages huge. > > So could you help me understand what $syslogseverity <= '6' means? > > I want to log the important stuff and exlude stuff that doesn't really > matter for both linux and windows logs. > > Note: the windows side will be much easier because there are applications > that allow you to send logs of whatever log file you want. The linux not so > much. > > > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:30 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > In that case you only need one rule, something like this should work > > >1. if \ >2. $source != 'loghost.example.com' \ >3. then*.* ?DYNlogfile > > > > > On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > > > Oh ok thank you! That worked! > > > > I'm sorry I keep asking questions > > > > So in the If, then statements where it says > > > > if \ > > $source != 'syslog.onlineschool.ca' \ > > and \ > > $syslogseverity <= '6' \ > > > > -- > > > > The very last line of the above $syslogseverity<= '6'\ > > > > Does this only log certain message types? Or if I wanted to have > > everything what would I put? > > > > (not a programmer) > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 12:07 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > loghost is the name of the machine doing the central logging with > > rsyslog which I want to keep it's logs under the default location > > > > $source != 'loghost.example.com' > > means every hosts but loghost.example.com > > > > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto > wrote: > > > > > On your if, then statements where it says $source != ' > > loghost.example.com' > > > \ > > > > > > What would I replace it with? %hostname% > > > > > > The reason I ask is that there will be many host names or IP > > > addresses that I'm forwarding logs from. > > > > > > > > > > > > -Original Message- > > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > > Sent: Wednesday, April 03, 2013 11:47 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > > > Josh, > > > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > > Starting at line 116 you'll find what you want > > > > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > > wrote: > > > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > > config file the following > > > > > > > > # This one is the template to generate the log filename > > > > dynamically, depending on the client's IP address. > > > > $template FILENAME,"/var/log/%fromhost-ip%/sys
Re: [rsyslog] Allocating certain logs to certain files
I suggest http://www.monitorware.com/en/topics/syslog/ Especially the seminar. Sent from phone, thus brief. Ursprüngliche Nachricht Von: Josh Bitto Datum: 03.04.2013 21:49 (GMT+01:00) An: rsyslog-users Betreff: Re: [rsyslog] Allocating certain logs to certain files Okie dokie Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity <= '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > Oh ok thank you! That worked! > > I'm sorry I keep asking questions > > So in the If, then statements where it says > > if \ > $source != 'syslog.onlineschool.ca' \ > and \ > $syslogseverity <= '6' \ > > -- > > The very last line of the above $syslogseverity<= '6'\ > > Does this only log certain message types? Or if I wanted to have > everything what would I put? > > (not a programmer) > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:07 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > loghost is the name of the machine doing the central logging with > rsyslog which I want to keep it's logs under the default location > > $source != 'loghost.example.com' > means every hosts but loghost.example.com > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: > > > On your if, then statements where it says $source != ' > loghost.example.com' > > \ > > > > What would I replace it with? %hostname% > > > > The reason I ask is that there will be many host names or IP > > addresses that I'm forwarding logs from. > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 11:47 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > Josh, > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > Starting at line 116 you'll find what you want > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > wrote: > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > config file the following > > > > > > # This one is the template to generate the log filename > > > dynamically, depending on the client's IP address. > > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > > > # Log all messages to the dynamically formed file. Now each > > > clients log (192.168.1.2, 192.168.1.3,etc...), will be under a > > > separate directory which is formed by the template FILENAME. > > > *.* ?FILENAME > > > > > > > > > That puts an output to my /var/log//syslog.log file. > > > > > > Essentially what I want is to have the same thing except separate > > > files for each log file /Dev/console /var/log/messages > > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > > /var/log/spooler /var/log/boot.log > > > > > > How would I add that to the config to make it happen? > > > > > > T
Re: [rsyslog] Allocating certain logs to certain files
Okie dokie Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity <= '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > Oh ok thank you! That worked! > > I'm sorry I keep asking questions > > So in the If, then statements where it says > > if \ > $source != 'syslog.onlineschool.ca' \ > and \ > $syslogseverity <= '6' \ > > -- > > The very last line of the above $syslogseverity<= '6'\ > > Does this only log certain message types? Or if I wanted to have > everything what would I put? > > (not a programmer) > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:07 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > loghost is the name of the machine doing the central logging with > rsyslog which I want to keep it's logs under the default location > > $source != 'loghost.example.com' > means every hosts but loghost.example.com > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: > > > On your if, then statements where it says $source != ' > loghost.example.com' > > \ > > > > What would I replace it with? %hostname% > > > > The reason I ask is that there will be many host names or IP > > addresses that I'm forwarding logs from. > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 11:47 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > Josh, > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > Starting at line 116 you'll find what you want > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > wrote: > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > config file the following > > > > > > # This one is the template to generate the log filename > > > dynamically, depending on the client's IP address. > > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > > > # Log all messages to the dynamically formed file. Now each > > > clients log (192.168.1.2, 192.168.1.3,etc...), will be under a > > > separate directory which is formed by the template FILENAME. > > > *.* ?FILENAME > > > > > > > > > That puts an output to my /var/log//syslog.log file. > > > > > > Essentially what I want is to have the same thing except separate > > > files for each log file /Dev/console /var/log/messages > > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > > /var/log/spooler /var/log/boot.log > > > > > > How would I add that to the config to make it happen? > > > > > > The other thingI still can't get httpd logs from remote > > > servers to forward to my central rsyslog server. > > > > > > Josh > > > > > > > > > > > > > > > Joshua Bitto > > > Informat
Re: [rsyslog] Allocating certain logs to certain files
In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto wrote: > Oh ok thank you! That worked! > > I'm sorry I keep asking questions > > So in the If, then statements where it says > > if \ > $source != 'syslog.onlineschool.ca' \ > and \ > $syslogseverity <= '6' \ > > -- > > The very last line of the above $syslogseverity<= '6'\ > > Does this only log certain message types? Or if I wanted to have > everything what would I put? > > (not a programmer) > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 12:07 PM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > loghost is the name of the machine doing the central logging with rsyslog > which I want to keep it's logs under the default location > > $source != 'loghost.example.com' > means every hosts but loghost.example.com > > > On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: > > > On your if, then statements where it says $source != ' > loghost.example.com' > > \ > > > > What would I replace it with? %hostname% > > > > The reason I ask is that there will be many host names or IP addresses > > that I'm forwarding logs from. > > > > > > > > -Original Message- > > From: rsyslog-boun...@lists.adiscon.com [mailto: > > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > > Sent: Wednesday, April 03, 2013 11:47 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Allocating certain logs to certain files > > > > Josh, > > > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > > Starting at line 116 you'll find what you want > > > > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto > wrote: > > > > > Ok here is my issue...on my cental rsyslog server I have in my > > > config file the following > > > > > > # This one is the template to generate the log filename dynamically, > > > depending on the client's IP address. > > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > > > # Log all messages to the dynamically formed file. Now each clients > > > log (192.168.1.2, 192.168.1.3,etc...), will be under a separate > > > directory which is formed by the template FILENAME. > > > *.* ?FILENAME > > > > > > > > > That puts an output to my /var/log//syslog.log file. > > > > > > Essentially what I want is to have the same thing except separate > > > files for each log file /Dev/console /var/log/messages > > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > > /var/log/spooler /var/log/boot.log > > > > > > How would I add that to the config to make it happen? > > > > > > The other thingI still can't get httpd logs from remote servers > > > to forward to my central rsyslog server. > > > > > > Josh > > > > > > > > > > > > > > > Joshua Bitto > > > Information Technologist > > > KCC > > > > > > > > > > > > ___ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you DON'T LIKE THAT. > > > > > ___ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > ___ > > rsyslog mailing list > > http
Re: [rsyslog] Allocating certain logs to certain files
Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity <= '6' \ -- The very last line of the above $syslogseverity<= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: > On your if, then statements where it says $source != 'loghost.example.com' > \ > > What would I replace it with? %hostname% > > The reason I ask is that there will be many host names or IP addresses > that I'm forwarding logs from. > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 11:47 AM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > Josh, > > This is what I'm currently using, http://pastebin.com/tsTHdsZY > Starting at line 116 you'll find what you want > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto wrote: > > > Ok here is my issue...on my cental rsyslog server I have in my > > config file the following > > > > # This one is the template to generate the log filename dynamically, > > depending on the client's IP address. > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > # Log all messages to the dynamically formed file. Now each clients > > log (192.168.1.2, 192.168.1.3,etc...), will be under a separate > > directory which is formed by the template FILENAME. > > *.* ?FILENAME > > > > > > That puts an output to my /var/log//syslog.log file. > > > > Essentially what I want is to have the same thing except separate > > files for each log file /Dev/console /var/log/messages > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > /var/log/spooler /var/log/boot.log > > > > How would I add that to the config to make it happen? > > > > The other thingI still can't get httpd logs from remote servers > > to forward to my central rsyslog server. > > > > Josh > > > > > > > > > > Joshua Bitto > > Information Technologist > > KCC > > > > > > > > ___ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you DON'T LIKE THAT. > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Allocating certain logs to certain files
loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto wrote: > On your if, then statements where it says $source != 'loghost.example.com' > \ > > What would I replace it with? %hostname% > > The reason I ask is that there will be many host names or IP addresses > that I'm forwarding logs from. > > > > -Original Message- > From: rsyslog-boun...@lists.adiscon.com [mailto: > rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone > Sent: Wednesday, April 03, 2013 11:47 AM > To: rsyslog-users > Subject: Re: [rsyslog] Allocating certain logs to certain files > > Josh, > > This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting > at line 116 you'll find what you want > > > On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto wrote: > > > Ok here is my issue...on my cental rsyslog server I have in my config > > file the following > > > > # This one is the template to generate the log filename dynamically, > > depending on the client's IP address. > > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > > > # Log all messages to the dynamically formed file. Now each clients > > log (192.168.1.2, 192.168.1.3,etc...), will be under a separate > > directory which is formed by the template FILENAME. > > *.* ?FILENAME > > > > > > That puts an output to my /var/log//syslog.log file. > > > > Essentially what I want is to have the same thing except separate > > files for each log file /Dev/console /var/log/messages > > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > > /var/log/spooler /var/log/boot.log > > > > How would I add that to the config to make it happen? > > > > The other thingI still can't get httpd logs from remote servers to > > forward to my central rsyslog server. > > > > Josh > > > > > > > > > > Joshua Bitto > > Information Technologist > > KCC > > > > > > > > ___ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > THAT. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Allocating certain logs to certain files
On your if, then statements where it says $source != 'loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto wrote: > Ok here is my issue...on my cental rsyslog server I have in my config > file the following > > # This one is the template to generate the log filename dynamically, > depending on the client's IP address. > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > # Log all messages to the dynamically formed file. Now each clients > log (192.168.1.2, 192.168.1.3,etc...), will be under a separate > directory which is formed by the template FILENAME. > *.* ?FILENAME > > > That puts an output to my /var/log//syslog.log file. > > Essentially what I want is to have the same thing except separate > files for each log file /Dev/console /var/log/messages > /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg > /var/log/spooler /var/log/boot.log > > How would I add that to the config to make it happen? > > The other thingI still can't get httpd logs from remote servers to > forward to my central rsyslog server. > > Josh > > > > > Joshua Bitto > Information Technologist > KCC > > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Allocating certain logs to certain files
Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto wrote: > Ok here is my issue...on my cental rsyslog server I have in my config file > the following > > # This one is the template to generate the log filename dynamically, > depending on the client's IP address. > $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" > > # Log all messages to the dynamically formed file. Now each clients log > (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which > is formed by the template FILENAME. > *.* ?FILENAME > > > That puts an output to my /var/log//syslog.log file. > > Essentially what I want is to have the same thing except separate files > for each log file > /Dev/console > /var/log/messages > /var/log/secure/ > -/var/log/maillog > /var/log/cron > *.emerg > /var/log/spooler > /var/log/boot.log > > How would I add that to the config to make it happen? > > The other thingI still can't get httpd logs from remote servers to > forward to my central rsyslog server. > > Josh > > > > > Joshua Bitto > Information Technologist > KCC > > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Allocating certain logs to certain files
Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log//syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
