Re: [rsyslog] Allocating certain logs to certain files
On Wed, 3 Apr 2013, Josh Bitto wrote: I have the same setup. I have my central rsyslog server and splunk server on the same box. I'm having all clients send logs and having rsyslog put them in different log locations. Then on the splunk side I'm just indexing those file locations. What method are you using to throw away all other logs? In the configuration, before you write the logs out to disk, add lines that match logs that you don't want to log with the action '~', that will cause rsyslog to stop looking for more rules to match for that log entry I've not heard of a sinkhole directory. It's very similar to a monitor directory, but with a sinkhole, Splunk will delete the file after it's indexed it. That way you don't have to figure out what files have and have not been indexed if Splunk has stopped at some point, and Splunk doesn't have to check the stats of large numbers of files that accumulate when trying to figure out what to work on. David Lang -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Wednesday, April 03, 2013 2:58 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files What I do with splunk is that I have my clients send all the logs up to my central server, and Splunk server. I then have the rsyslog on the Splunk server write the logs that I want splunk to index into a file and then throw all the other logs away. I roll the log from where it's written into a splunk sinkhole directory once a minute. David Lang On Wed, 3 Apr 2013, Josh Bitto wrote: Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity = '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all
Re: [rsyslog] Allocating certain logs to certain files
On your if, then statements where it says $source != 'loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Allocating certain logs to certain files
Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != 'loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Allocating certain logs to certain files
In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control
Re: [rsyslog] Allocating certain logs to certain files
Okie dokie Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity = '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
Re: [rsyslog] Allocating certain logs to certain files
I suggest http://www.monitorware.com/en/topics/syslog/ Especially the seminar. Sent from phone, thus brief. Ursprüngliche Nachricht Von: Josh Bitto jbi...@onlineschool.ca Datum: 03.04.2013 21:49 (GMT+01:00) An: rsyslog-users rsyslog@lists.adiscon.com Betreff: Re: [rsyslog] Allocating certain logs to certain files Okie dokie Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity = '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
Re: [rsyslog] Allocating certain logs to certain files
I found this reference helpful: http://en.wikipedia.org/wiki/Syslog On Wed, Apr 3, 2013 at 4:02 PM, Rainer Gerhards rgerha...@hq.adiscon.comwrote: I suggest http://www.monitorware.com/en/topics/syslog/ Especially the seminar. Sent from phone, thus brief. Ursprüngliche Nachricht Von: Josh Bitto jbi...@onlineschool.ca Datum: 03.04.2013 21:49 (GMT+01:00) An: rsyslog-users rsyslog@lists.adiscon.com Betreff: Re: [rsyslog] Allocating certain logs to certain files Okie dokie Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity = '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
Re: [rsyslog] Allocating certain logs to certain files
I actually just found that. It is helping out a lot as far as all the different terminology that this protocol uses. Thanks Anyway! -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Gregory Patmore Sent: Wednesday, April 03, 2013 1:56 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files I found this reference helpful: http://en.wikipedia.org/wiki/Syslog On Wed, Apr 3, 2013 at 4:02 PM, Rainer Gerhards rgerha...@hq.adiscon.comwrote: I suggest http://www.monitorware.com/en/topics/syslog/ Especially the seminar. Sent from phone, thus brief. Ursprüngliche Nachricht Von: Josh Bitto jbi...@onlineschool.ca Datum: 03.04.2013 21:49 (GMT+01:00) An: rsyslog-users rsyslog@lists.adiscon.com Betreff: Re: [rsyslog] Allocating certain logs to certain files Okie dokie Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity = '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I
Re: [rsyslog] Allocating certain logs to certain files
Marcelo, Thank you for the help earlier. Now I have another question. I kept the first rules and now. I want to add a rule of sorts. When rsyslog receives upd traffic it not only is adding it to my /var/log/messages file but also to the /var/log/hosts/hostname/messages file as well. Is there a way for it to NOT log to the /var/log/messages and ONLY to the /var/log/hosts/hostname/messages? -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
Re: [rsyslog] Allocating certain logs to certain files
The config I shared does that On Apr 3, 2013 6:18 PM, Josh Bitto jbi...@onlineschool.ca wrote: Marcelo, Thank you for the help earlier. Now I have another question. I kept the first rules and now. I want to add a rule of sorts. When rsyslog receives upd traffic it not only is adding it to my /var/log/messages file but also to the /var/log/hosts/hostname/messages file as well. Is there a way for it to NOT log to the /var/log/messages and ONLY to the /var/log/hosts/hostname/messages? -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com
Re: [rsyslog] Allocating certain logs to certain files
I'm sorry I should have clarifiedWindows events go to both locations mentioned. Could I add a rule that says... If \ $source == 'somekind of windows identifier' \ Then?DYNmessages Would that work? -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 2:31 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files The config I shared does that On Apr 3, 2013 6:18 PM, Josh Bitto jbi...@onlineschool.ca wrote: Marcelo, Thank you for the help earlier. Now I have another question. I kept the first rules and now. I want to add a rule of sorts. When rsyslog receives upd traffic it not only is adding it to my /var/log/messages file but also to the /var/log/hosts/hostname/messages file as well. Is there a way for it to NOT log to the /var/log/messages and ONLY to the /var/log/hosts/hostname/messages? -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
Re: [rsyslog] Allocating certain logs to certain files
Havent messed with windows yet so cant really say On Apr 3, 2013 6:37 PM, Josh Bitto jbi...@onlineschool.ca wrote: I'm sorry I should have clarifiedWindows events go to both locations mentioned. Could I add a rule that says... If \ $source == 'somekind of windows identifier' \ Then?DYNmessages Would that work? -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 2:31 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files The config I shared does that On Apr 3, 2013 6:18 PM, Josh Bitto jbi...@onlineschool.ca wrote: Marcelo, Thank you for the help earlier. Now I have another question. I kept the first rules and now. I want to add a rule of sorts. When rsyslog receives upd traffic it not only is adding it to my /var/log/messages file but also to the /var/log/hosts/hostname/messages file as well. Is there a way for it to NOT log to the /var/log/messages and ONLY to the /var/log/hosts/hostname/messages? -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get httpd logs from remote servers to forward to my central rsyslog server. Josh Joshua Bitto Information Technologist KCC ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts
Re: [rsyslog] Allocating certain logs to certain files
I have the same setup. I have my central rsyslog server and splunk server on the same box. I'm having all clients send logs and having rsyslog put them in different log locations. Then on the splunk side I'm just indexing those file locations. What method are you using to throw away all other logs? I've not heard of a sinkhole directory. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang Sent: Wednesday, April 03, 2013 2:58 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files What I do with splunk is that I have my clients send all the logs up to my central server, and Splunk server. I then have the rsyslog on the Splunk server write the logs that I want splunk to index into a file and then throw all the other logs away. I roll the log from where it's written into a splunk sinkhole directory once a minute. David Lang On Wed, 3 Apr 2013, Josh Bitto wrote: Would these if then statements work for windows events? Basically here is my goal... I want to use splunk as a Management tool for my logs (free version is 500 mb volume/24 hour period) but I want rsyslog to forward log files to my central log server. In order to stay under that 500mb limit for the whole network. I want to determine what is an acceptable exclusion for indexing data from a file source. The file source would be what you just helped me with. The coding that I had before made my log files for messages huge. So could you help me understand what $syslogseverity = '6' means? I want to log the important stuff and exlude stuff that doesn't really matter for both linux and windows logs. Note: the windows side will be much easier because there are applications that allow you to send logs of whatever log file you want. The linux not so much. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:30 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files In that case you only need one rule, something like this should work 1. if \ 2. $source != 'loghost.example.com' \ 3. then*.* ?DYNlogfile On Wed, Apr 3, 2013 at 4:23 PM, Josh Bitto jbi...@onlineschool.ca wrote: Oh ok thank you! That worked! I'm sorry I keep asking questions So in the If, then statements where it says if \ $source != 'syslog.onlineschool.ca' \ and \ $syslogseverity = '6' \ -- The very last line of the above $syslogseverity= '6'\ Does this only log certain message types? Or if I wanted to have everything what would I put? (not a programmer) -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 12:07 PM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files loghost is the name of the machine doing the central logging with rsyslog which I want to keep it's logs under the default location $source != 'loghost.example.com' means every hosts but loghost.example.com On Wed, Apr 3, 2013 at 4:03 PM, Josh Bitto jbi...@onlineschool.ca wrote: On your if, then statements where it says $source != ' loghost.example.com' \ What would I replace it with? %hostname% The reason I ask is that there will be many host names or IP addresses that I'm forwarding logs from. -Original Message- From: rsyslog-boun...@lists.adiscon.com [mailto: rsyslog-boun...@lists.adiscon.com] On Behalf Of Marcelo Veglienzone Sent: Wednesday, April 03, 2013 11:47 AM To: rsyslog-users Subject: Re: [rsyslog] Allocating certain logs to certain files Josh, This is what I'm currently using, http://pastebin.com/tsTHdsZY Starting at line 116 you'll find what you want On Wed, Apr 3, 2013 at 3:38 PM, Josh Bitto jbi...@onlineschool.ca wrote: Ok here is my issue...on my cental rsyslog server I have in my config file the following # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,/var/log/%fromhost-ip%/syslog.log # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME That puts an output to my /var/log/host IP/syslog.log file. Essentially what I want is to have the same thing except separate files for each log file /Dev/console /var/log/messages /var/log/secure/ -/var/log/maillog /var/log/cron *.emerg /var/log/spooler /var/log/boot.log How would I add that to the config to make it happen? The other thingI still can't get