Re: [rsyslog] Two templates in the same ruleset

Wed, 11 Dec 2019 11:20:43 -0800

So I want the two new-format templates to be used on incoming tcp://2514 packets, which will be auditd messages. I included the legacy versions for comparison of what I wanted to do. 

---
Bradley Hieber
Owner, Express Cloud Hosting
p. 810-882-1557
Expresscloudhosting.net

On 2019-12-11 14:02, David Lang wrote:

I don't understand your problem. you have 4 templates defined, two
with legacy format (which I still use a lot) and two with the new
format.

you can use any of the four formats with either the old format actions
or the new format actions.

what is it you are trying to do that isn't working?

David Lang

On Wed, 11 Dec 2019, Bradley Hieber via rsyslog wrote:


Date: Wed, 11 Dec 2019 12:30:36 -0500
From: Bradley Hieber via rsyslog <[email protected]>
To: [email protected]
Cc: Bradley Hieber <[email protected]>
Subject: [rsyslog] Two templates in the same ruleset

Hello List,
I am trying to do a dynamic file and string edit within a ruleset and am coming up empty on examples. I want to replicate the two template edits 
in the new format, but I am not seeing any examples of how to do both,
without using the legacy syntax. Config listed below:

template(name="AuditLogSavePath" type="list") {
   constant(value="/data/syslogs/audit/")
   property(name="fromhost-ip")
   constant(value="/")
   property(name="timegenerated" dateFormat="year")
   constant(value="-")
   property(name="timegenerated" dateFormat="month")
   constant(value="-")
   property(name="timegenerated" dateFormat="day")
   constant(value="-")
   property(name="fromhost-ip")
   constant(value=".audit.log")
}

template(name"AuditMsg" type=string "string="%msg:2:$%\n")

ruleset(name="Audit-Rules"){
    action(type="omfile" DynaFile="AuditLogSavePath")
}

# provides TCP syslog reception
input(type="imtcp" port="2514" ruleset="Audit-Rules")
#$InputTCPServerRun      2514
# $AllowedSender  TCP,127.0.0.1,192.168.56.102
$template       HostAudit,"/data/syslog/audit/%HOSTNAME%/audit.log"
$template       auditFormat,"%msg%\n"
local6.*        ?HostAudit;auditFormat



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to