Thanks!
On 7/18/13, Radu Gheorghe <[email protected]> wrote: > Hello, > > I think the simplest thing you can do is something like this: > > if $programname == 'audits' then @10.0.0.10:514 > > This will forward all "audits" logs to the splunk receiver via UDP. > > If you only need to forward those logs coming from the remote hosts, have a > look at rulesets: > http://www.rsyslog.com/tag/more-complex-scenarios/ > > Basically, you can use those to define an action that applies to all logs > coming from the network via TCP, for example. > > Best regards, > Radu > > > 2013/7/18 <[email protected]> > >> I'm trying to get rsyslog to forward audits from compute nodes >> thru their cluster head node to a receiver running splunk. The >> receiver has already been set up and is getting data from >> other hosts. These other hosts use syslog-ng. Looking at the >> online documentation,I was able to get a compute node to forward >> this data to the head node (172.20.0.1) as follows. To a default >> rsyslog.conf on a compute node, I added: >> >> >> $PrivDropToGroup adm >> $ModLoad imfile >> $InputFileName /var/log/audit.log >> $InputFileTag audits: >> $InputFileStateFile stat-auditsap-access >> $InputFileSeverity info >> $InputRunFileMonitor >> $InputFilePollInterval 10 >> if $programname == 'audits' then @@172.20.0.1:514 >> >> So the audit data from the compute node appears in syslog on the >> head node. >> >> I'm just not sure what I need to do on the head node to take this >> data and forward it on. Here is what a successful syslog-ng.conf >> looks like on a working head node. Note that the receiver (splunk) >> is IP 10.0.0.10. >> >> >> options { >> ..... >> }; >> >> source s_sys { >> file ("/prov/kmsg" log_prefix("kernel: ")); >> unix-stream ("/dev/log"); >> internal(); >> }; >> source s_audit { >> #for audits >> file ("/var/log/audit/audit.log" flags(no-parse) >> follow-freq(60)); #for audits >> }; >> destination d_cons { file("/dev/console");}; >> destination .... >> ... >> destination d_splunk { udp("10.0.0.10" port(514)); }; >> #for audits >> >> filter f_kernel..... >> >> log {source(s_sys..... >> .... >> log { source(s_audit); destination(d_splunk); }; >> #for audits >> >> Does anyone know what should be on the head node to forward the stream? >> Thanks >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
