On Fri, 10 Sep 2021, [email protected] wrote:
Thanks David
Yes, my bad, i was still trying to load the "imtcp" module instead of the
"imptcp" module. The rsyslog syntax is now valid, which is a good start.
And yes, I'm constrained by what I can pull from redhat. Not my choice!
So, my entire config now looks like the below:
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imjournal # provides access to the systemd journal
$template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
$template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
$template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
$template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
$template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
template (name="TmplCiscoFirewallFormat" type="string"
string="%TIMESTAMP% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)
template (name="TmplCiscoFirewallFile" type="string"
string="/var/log/remote/cisco/firewalllog"
)
$ModLoad imudp
$RuleSet remoteudp1
:programname, isequal, "SFIMS" ?TmplCiscoFirewallFile;TmplCiscoFirewallFormat
& ~
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset
$InputUDPServerBindRuleset remoteudp1
$UDPServerRun 514
$ModLoad imptcp
This is one of the places where you should use the new syntax, change all of
this to the new syntax
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/routerlog")
ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplVPXMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
you should get an error defining an input multiple times, are you sure there are
no errors on startup?
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local7.notice /var/log/cmd.log
It's a mish-mash of old and new styles.
The logs for the templated "TmplVPXMsg" "TmplAppfwMsg" "TmplCiscoRouterMsg"
are working nicely.
My issue is still how to pick out the remaining logs coming in over 514/TCP
(ruleset="remote1") and stash them into the templated "TmplAuthpriv"
"TmplMsg" "TmplCron" "TmplMail" "TmplCmd".
I don't know the correct syntax for catching these within the "remote1"
ruleset!
Within previous iterations we had something like:
# Provides TCP syslog reception
$ModLoad imtcp
$RuleSet remote1
:msg, regex , "[Zz][SsUu][Vv][Pp][Xx]" ?TmplNetscalerFile;TmplNetcalerFormat
& ~
this syntax still works, just put it inside the ruleset {}
or use the if...then syntax, there is a regex() function you can use for the
test
David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
