I'm trying to get rsyslog to forward audits from compute nodes
thru their cluster head node to a receiver running splunk. The
receiver has already been set up and is getting data from
other hosts. These other hosts use syslog-ng. Looking at the
online documentation,I was able to get a compute node to forward
this data to the head node (172.20.0.1) as follows. To a default
rsyslog.conf on a compute node, I added:
$PrivDropToGroup adm
$ModLoad imfile
$InputFileName /var/log/audit.log
$InputFileTag audits:
$InputFileStateFile stat-auditsap-access
$InputFileSeverity info
$InputRunFileMonitor
$InputFilePollInterval 10
if $programname == 'audits' then @@172.20.0.1:514
So the audit data from the compute node appears in syslog on the
head node.
I'm just not sure what I need to do on the head node to take this
data and forward it on. Here is what a successful syslog-ng.conf
looks like on a working head node. Note that the receiver (splunk)
is IP 10.0.0.10.
options {
.....
};
source s_sys {
file ("/prov/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
};
source s_audit {
#for audits
file ("/var/log/audit/audit.log" flags(no-parse)
follow-freq(60)); #for audits
};
destination d_cons { file("/dev/console");};
destination ....
...
destination d_splunk { udp("10.0.0.10" port(514)); };
#for audits
filter f_kernel.....
log {source(s_sys.....
....
log { source(s_audit); destination(d_splunk); };
#for audits
Does anyone know what should be on the head node to forward the stream?
Thanks
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
