Hello, I think the simplest thing you can do is something like this:
if $programname == 'audits' then @10.0.0.10:514 This will forward all "audits" logs to the splunk receiver via UDP. If you only need to forward those logs coming from the remote hosts, have a look at rulesets: http://www.rsyslog.com/tag/more-complex-scenarios/ Basically, you can use those to define an action that applies to all logs coming from the network via TCP, for example. Best regards, Radu 2013/7/18 <[email protected]> > I'm trying to get rsyslog to forward audits from compute nodes > thru their cluster head node to a receiver running splunk. The > receiver has already been set up and is getting data from > other hosts. These other hosts use syslog-ng. Looking at the > online documentation,I was able to get a compute node to forward > this data to the head node (172.20.0.1) as follows. To a default > rsyslog.conf on a compute node, I added: > > > $PrivDropToGroup adm > $ModLoad imfile > $InputFileName /var/log/audit.log > $InputFileTag audits: > $InputFileStateFile stat-auditsap-access > $InputFileSeverity info > $InputRunFileMonitor > $InputFilePollInterval 10 > if $programname == 'audits' then @@172.20.0.1:514 > > So the audit data from the compute node appears in syslog on the > head node. > > I'm just not sure what I need to do on the head node to take this > data and forward it on. Here is what a successful syslog-ng.conf > looks like on a working head node. Note that the receiver (splunk) > is IP 10.0.0.10. > > > options { > ..... > }; > > source s_sys { > file ("/prov/kmsg" log_prefix("kernel: ")); > unix-stream ("/dev/log"); > internal(); > }; > source s_audit { > #for audits > file ("/var/log/audit/audit.log" flags(no-parse) > follow-freq(60)); #for audits > }; > destination d_cons { file("/dev/console");}; > destination .... > ... > destination d_splunk { udp("10.0.0.10" port(514)); }; > #for audits > > filter f_kernel..... > > log {source(s_sys..... > .... > log { source(s_audit); destination(d_splunk); }; > #for audits > > Does anyone know what should be on the head node to forward the stream? > Thanks > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
