is that really your entire config, nothing else?
David Lang
On Mon, 21 Nov 2022, Will BMD via rsyslog wrote:
Date: Mon, 21 Nov 2022 17:19:39 +0000
From: Will BMD via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Will BMD <w...@brainmeltdown.net>
Subject: [rsyslog] Dynamic file generation issue
Hey all,
I've got a pretty simple configuration as below:
module(load="imudp")
input(type="imudp" port="514")
$template
DynaFile,"/var/log/ext/%HOSTNAME%/%timestamp:::date-month%/%timestamp:::date-day%/%timestamp:::date-hour%.log"
*.* -?DynaFile
This appears to be working but I've noticed this oddity. I'm seeing logs
being sent to 2 locations, not duplicates from the looks of it. The first
location is the one specified in the template above, the other is being sent
to a file called *syslog* in /var/log/syslog. When looking at the logs I'm
not seeing any obvious differences between the messages. I want all messages
to go where I've defined the dynafile location. Does anyone have any input as
to what could be happening?
Here are some examples:
/var/log/ext/10.10.10.10/11/21$ tail 16.log
Nov 21 16:59:59 10.10.10.10 %ASA-6-106100: access-list inside_access_in
denied tcp inside/x.x.x.x(53194) -> outside/x.x.x.x(80) hit-cnt 1 first hit
[0xc58201ba, 0x38466015]
/var/log$ tail syslog
Nov 21 17:01:33 10.10.10.10 %ASA-6-106100: access-list inside_access_in
denied tcp inside/x.x.x.x(49548) -> outside/x.x.x.x(443) hit-cnt 1 first hit
[0xc58201ba, 0x6838bf3c]
Thanks,
Will
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
