Hello!
Please consider to stop useing the $ThisConfigSyntaxStyle as "it will make
your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
more than 10 years ago.
I guess this is more or less what you're looking for:
```
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplNetscalerMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
```
There is still some space for improvements though. I'd suggest creating
different inputs for different kinds of logs. This way you can speedup
processing a bit (because `if $msg contains ...` is slow). Do not overuse
local variables though ($.something).
```
# Assuming VPX and appfw logs are coming from the same device
# Otherwise easier to create one more input and remove `if $msg contains`
completely
input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
input(type="imptcp" name="cisco_router" port="2515" ruleset="cisco_router")
# /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
template(name="TmplNetscalerMsg" type="list" {
constant(value="/var/log/remote/netscaler/")
property(name="hostname")
constant(value="/")
property(name="$.ns_type")
constant(value="log")
}
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
ruleset(name="netscaler") {
if $msg contains 'VPX' then {
set $.ns_type = "vpx";
} else if $msg contains 'appfw' then {
set $.ns_type = "appfw";
} else {
set $.ns_type = "UNKNOWN";
}
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplNetscalerMsg")
}
ruleset(name="cisco_router") {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
}
```
All this knowledge I got from reading the Rsyslog docs here:
https://www.rsyslog.com/doc/v8-stable/configuration/index.html
Yes, it's not that well structured but still worth reading if you're using
Rsyslog a lot.
On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
[email protected]> wrote:
> I can successfully have logs going to the correct files under
> /var/log/remote/%HOSTNAME%/whatever, with the following template:
>
> $template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
> $template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
> $template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
> $template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
> $template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
>
> and following ruleset:
>
> $RuleSet justlogs
> *.info;mail.none;authpriv.none;cron.none ?TmplMsg
> $RuleSet RSYSLOG_DefaultRuleset
> $InputTCPServerBindRuleset justlogs
> $InputTCPServerRun 514
>
>
> And direct some logs into specific folders, a la:
>
> ruleset(name="remote1"){
> if $msg contains 'VPX' then {
> action(type="omfile"
> file="/var/log/remote/netscaler/netscalerlog")
> }
> if $msg contains 'br01' then {
> action(type="omfile"
> file="/var/log/remote/cisco/router/routerlog")
> }
> if $msg contains 'appfw' then {
> action(type="omfile"
> file="/var/log/remote/netscaler/appfwlog")
> }
> }
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
> back to the default rule set
> $InputTCPServerBindRuleset remote1 #Define a new input and bind it
> to the "remote1" rule set
> $InputTCPServerRun 514
>
> But not both at the same time! I've tried smashing the rulesets
> together, but no joy.
>
> Reading the manual makes my brain hurt. And the online rsyslog.conf
> builder isn't working for me.
>
> Pointers appreciated!
>
> TIA
>
> Pete
> --
>
>
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
