Hi,
We have a setup where there are multiple nodes generating application logs and events (a form of logs). I have attached the conf files used in the setup. I have a ticket against me and asked to provide explanation why without IPAddress in input for conf file, logs are printed in duplicate. But logs are not printed in duplicate when IPAddress is included in the conf file. On one of the node rsyslog is configured to use UDP (port: 1000). Call it Master On all nodes events are forwarded to the master using internalIP:1000 Master node also hosts Ethernet interface towards the backhaul. In rsyslog-master.conf file input(type="imudp" port="1025") -- address is not given. In each individual node, we had recently added an action to stream events collected in local7 facility to an external server. local7.* action(type="omfwd" Target="11.11.11.11" Port="514" Protocol="udp" Template="ForwardFormat") Observation: Master node was receiving the events from local7 sent to external server at port 514. Resolution: Rsyslog on Master node was configured with address, after which there were no duplicate events logged on Master node. input(type="imudp" address="169.1.1.2" port="1025") -- address added. Question: When port numbers were different why master node without IP address received both the events. Protocol was same, but the ports were different. FILES: rsyslog-local.conf rsyslog-local.d rsyslog-master.conf rsyslog-master.d rsyslog-local.conf -- pulls data from journal rsyslog-master.conf -- hosts the centralizedLogServer. rsyslog-local.d/51-guiaudit-log-to-server.conf -- sends logs to centralizedLogServer hosted on local machine, if $msg contains '|guiAudit|' rsyslog-local.d/66-GUIApplicationLogging.conf -- reads a log file /tmp/GUILogs/gui_audit_log.txt filters based on log-level and sends the logs to external server. Msgs streamed to external server are tagged with "UIAPP:" rsyslog-master.d/48-gui_audit_log.conf -- logs to $AuditLog if $msg contains '|guiAudit|' Issue: AuditLog to which master logs at centralizedLogServer had dual log entries. Appreciate your help in helping me understand the behaviour. Thanks and Regards Lak.
rsyslog-files.tgz
Description: rsyslog-files.tgz
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
