you edit rsyslog.conf to have it write the logs somewhere else where? i already tried with the string "if $fromhost-ip startswith 'ip source' then 'destination folder'" && 'second path' or adding a new string under that like:
"if $fromhost-ip startswith 'ip source' then 'destination folder'" "if $fromhost-ip startswith 'ip source' then 'new destination folders'" & ~ but only the first one is working. I did something wrong? this is completely up to you and your organization, there are so may ways to do it that there is not a simple 'best practices' with that sort of volume, I like to rotate the logs frequently (I've even done every minute) so that when I need to search the files I can limit the search and none of the files get huge. if i have to rotate frequently and i have to keep it for 6 months, i must calculate the exact number of rotation to add in the logrotate conf under the rotate parameter? or there is a easier way? what do you do with these logs? are you commonly looking at subsets of them? or do you just keep them because the policy says you should? are just for policy how do you back these up? how do you replicate them offsite? (encrypting them and storing them in AWS S3 as class Glacier is cheap, highly redundant storage, but it costs if you actually need to retrieve the data, so it's great for a 'just in case' archive, but not for an archive that you commonly use) this is the backup :), luckily is a just in case server Mostra testo citato Il mar 26 nov 2019, 13:08 David Lang <[email protected]> ha scritto: > On Tue, 26 Nov 2019, Emilio Anzalone via rsyslog wrote: > > > how can i send the same log to different paths? i must edit the > > /etc/rsyslog.conf or i have to redirect the log from the destination > folder > > to the new folder? > > - > > you edit rsyslog.conf to have it write the logs somewhere else > > > if i have 28Gb/day and i have to keep it for 6 months, which is the > best > > practise to store it? (how many rotate, what time to start the > crontab,etc) > > this is completely up to you and your organization, there are so may ways > to do > it that there is not a simple 'best practices' > > with that sort of volume, I like to rotate the logs frequently (I've even > done > every minute) so that when I need to search the files I can limit the > search and > none of the files get huge. > > compress the files as you rotate them, don't keep too many files in a > directory > (I like to do YYYY/MM/DD/log-hhMM type organization) > > what do you do with these logs? are you commonly looking at subsets of > them? or > do you just keep them because the policy says you should? > > how do you back these up? how do you replicate them offsite? (encrypting > them > and storing them in AWS S3 as class Glacier is cheap, highly redundant > storage, > but it costs if you actually need to retrieve the data, so it's great for > a > 'just in case' archive, but not for an archive that you commonly use) > > in other words, we need to know a lot more about what you do with the data > before e can make good suggestions. > > David Lang > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
