Hi,
I have a query regarding rsyslog template.
Before I describe the problem let me explain the background. We are
planning to receive logs from different networking equipment and
firewall. Those logs will be sent over to two rsyslog servers which
will in turn send them to splunk. We want to separate the logs as per
the originating hostname and save in separate files in individual,
separate directories.
The following is an example of such configuration:
# cat cyberark.conf
input(type="imtcp" port="9514" ruleset="cyberark_logs")
ruleset(name="cyberark_logs"
queue.type="fixedArray"
queue.size="250000"
queue.dequeueBatchSize="4096"
queue.workerThreads="4"
queue.workerThreadMinimumMessages="60000"
) {
$FileOwner splunk
$FileGroup splunk
$DirOwner splunk
$DirGroup splunk
$DirCreateMode 0755
$FileCreateMode 0640
$RulesetCreateMainQueue
$Template
Dynafile2,"/opt/data/syslog/cyberark/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
*.*-?Dynafile2
}
1) Now my confusion is about the template naming scheme. Right now all
of the configurations have these lines:
$Template Dynafile2,"FILEPATH_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
*.*-?Dynafile2
How can/should I change the names of the templates? Shall I make it like:
$Template
cyberark,"/opt/data/syslog/cyberark/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
*.*-?cyberark
2) Based on the above full configuration snippet, is there any
modification that I can make so that the configuration is easier to
read/understand? In other words, any improvement tips?
Thanks,
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
