rsyslog server template consideration for multiple remote hosts
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
i'm not an expert on the rsyslog configuration since i dear to ask few doubts i have about the rsyslog server i have as this is been configured by some other guys who is unfortunately not there now hence i need certain guideline and help to understand on few setting in rsyslog server:
Linux Destro is : Centos 6.8
Below is what the rsyslog.conf looks like:
# cat /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
authpriv.* ?server-dc
*.info,mail.none,authpriv.none,cron.none ?server-dc
$IncludeConfig /etc/rsyslog.d/*.conf
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
#*.* @elk-rsyslog:514
Point for me to understand:
1)
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
enter code here
So, in the above line /scratch/rsyslog
is a Directory path on the rsyslog server where we are forwarding all the logs from the unix remote hosts which crearts a directory structure following a message file like:
/scratch/rsyslog/remot1-Ser1/messages.log
/scratch/rsyslog/remot1-Ser2/messages.log
So, this works okay, However at the same time we have few network devices as well which are forwarding the network logs into the same location in a below format:
/scratch/rsyslog/Sep/messages.log
/scratch/rsyslog/Oct/messages.log
In the above case of network logs its creating a Directory by month name following a message file So, I'm looking for a way in rsyslog to define a different path for network logs as such /scratch/rsyslog/network
so the network logs can be collected into a Separate Folder, reason behind this is, i'm processing these logs to Elasticsearch hence i'm using wildcard for unix logs as /scratch/rsyslog/*/messages.log
but this also includes the network logs being wildcard(*
) called.
So, Is there a way i can say if the logs are coming from particular remote host or IP should go to a particular Folder in rsyslog server?
2) Here in $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
what is login for putting server-dc as this is a another Hostname, Is this gets any purpose or we can change this to something relevant considering above requirement.
3) Same server-dc also been included into another config parameters as well.
Desired
Would simply like to know if there is way i can Forward the logs for like systems , network, firewall into the separate distinct Directories like..
1 - /scratch/rsyslog/system/%HOSTNAME%/messages.log
2 - /scratch/rsyslog/network/%HOSTNAME%/messages.log
3 - /scratch/rsyslog/firewall/%HOSTNAME%/messages.log
I'm sorry for asking too much but hope you will consider this as my noviceness towards rsyslog learning , i would appreciate any help and suggestion on this ...
linux rsyslog
New contributor
add a comment |Â
up vote
0
down vote
favorite
i'm not an expert on the rsyslog configuration since i dear to ask few doubts i have about the rsyslog server i have as this is been configured by some other guys who is unfortunately not there now hence i need certain guideline and help to understand on few setting in rsyslog server:
Linux Destro is : Centos 6.8
Below is what the rsyslog.conf looks like:
# cat /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
authpriv.* ?server-dc
*.info,mail.none,authpriv.none,cron.none ?server-dc
$IncludeConfig /etc/rsyslog.d/*.conf
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
#*.* @elk-rsyslog:514
Point for me to understand:
1)
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
enter code here
So, in the above line /scratch/rsyslog
is a Directory path on the rsyslog server where we are forwarding all the logs from the unix remote hosts which crearts a directory structure following a message file like:
/scratch/rsyslog/remot1-Ser1/messages.log
/scratch/rsyslog/remot1-Ser2/messages.log
So, this works okay, However at the same time we have few network devices as well which are forwarding the network logs into the same location in a below format:
/scratch/rsyslog/Sep/messages.log
/scratch/rsyslog/Oct/messages.log
In the above case of network logs its creating a Directory by month name following a message file So, I'm looking for a way in rsyslog to define a different path for network logs as such /scratch/rsyslog/network
so the network logs can be collected into a Separate Folder, reason behind this is, i'm processing these logs to Elasticsearch hence i'm using wildcard for unix logs as /scratch/rsyslog/*/messages.log
but this also includes the network logs being wildcard(*
) called.
So, Is there a way i can say if the logs are coming from particular remote host or IP should go to a particular Folder in rsyslog server?
2) Here in $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
what is login for putting server-dc as this is a another Hostname, Is this gets any purpose or we can change this to something relevant considering above requirement.
3) Same server-dc also been included into another config parameters as well.
Desired
Would simply like to know if there is way i can Forward the logs for like systems , network, firewall into the separate distinct Directories like..
1 - /scratch/rsyslog/system/%HOSTNAME%/messages.log
2 - /scratch/rsyslog/network/%HOSTNAME%/messages.log
3 - /scratch/rsyslog/firewall/%HOSTNAME%/messages.log
I'm sorry for asking too much but hope you will consider this as my noviceness towards rsyslog learning , i would appreciate any help and suggestion on this ...
linux rsyslog
New contributor
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
i'm not an expert on the rsyslog configuration since i dear to ask few doubts i have about the rsyslog server i have as this is been configured by some other guys who is unfortunately not there now hence i need certain guideline and help to understand on few setting in rsyslog server:
Linux Destro is : Centos 6.8
Below is what the rsyslog.conf looks like:
# cat /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
authpriv.* ?server-dc
*.info,mail.none,authpriv.none,cron.none ?server-dc
$IncludeConfig /etc/rsyslog.d/*.conf
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
#*.* @elk-rsyslog:514
Point for me to understand:
1)
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
enter code here
So, in the above line /scratch/rsyslog
is a Directory path on the rsyslog server where we are forwarding all the logs from the unix remote hosts which crearts a directory structure following a message file like:
/scratch/rsyslog/remot1-Ser1/messages.log
/scratch/rsyslog/remot1-Ser2/messages.log
So, this works okay, However at the same time we have few network devices as well which are forwarding the network logs into the same location in a below format:
/scratch/rsyslog/Sep/messages.log
/scratch/rsyslog/Oct/messages.log
In the above case of network logs its creating a Directory by month name following a message file So, I'm looking for a way in rsyslog to define a different path for network logs as such /scratch/rsyslog/network
so the network logs can be collected into a Separate Folder, reason behind this is, i'm processing these logs to Elasticsearch hence i'm using wildcard for unix logs as /scratch/rsyslog/*/messages.log
but this also includes the network logs being wildcard(*
) called.
So, Is there a way i can say if the logs are coming from particular remote host or IP should go to a particular Folder in rsyslog server?
2) Here in $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
what is login for putting server-dc as this is a another Hostname, Is this gets any purpose or we can change this to something relevant considering above requirement.
3) Same server-dc also been included into another config parameters as well.
Desired
Would simply like to know if there is way i can Forward the logs for like systems , network, firewall into the separate distinct Directories like..
1 - /scratch/rsyslog/system/%HOSTNAME%/messages.log
2 - /scratch/rsyslog/network/%HOSTNAME%/messages.log
3 - /scratch/rsyslog/firewall/%HOSTNAME%/messages.log
I'm sorry for asking too much but hope you will consider this as my noviceness towards rsyslog learning , i would appreciate any help and suggestion on this ...
linux rsyslog
New contributor
i'm not an expert on the rsyslog configuration since i dear to ask few doubts i have about the rsyslog server i have as this is been configured by some other guys who is unfortunately not there now hence i need certain guideline and help to understand on few setting in rsyslog server:
Linux Destro is : Centos 6.8
Below is what the rsyslog.conf looks like:
# cat /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
authpriv.* ?server-dc
*.info,mail.none,authpriv.none,cron.none ?server-dc
$IncludeConfig /etc/rsyslog.d/*.conf
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
#*.* @elk-rsyslog:514
Point for me to understand:
1)
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
enter code here
So, in the above line /scratch/rsyslog
is a Directory path on the rsyslog server where we are forwarding all the logs from the unix remote hosts which crearts a directory structure following a message file like:
/scratch/rsyslog/remot1-Ser1/messages.log
/scratch/rsyslog/remot1-Ser2/messages.log
So, this works okay, However at the same time we have few network devices as well which are forwarding the network logs into the same location in a below format:
/scratch/rsyslog/Sep/messages.log
/scratch/rsyslog/Oct/messages.log
In the above case of network logs its creating a Directory by month name following a message file So, I'm looking for a way in rsyslog to define a different path for network logs as such /scratch/rsyslog/network
so the network logs can be collected into a Separate Folder, reason behind this is, i'm processing these logs to Elasticsearch hence i'm using wildcard for unix logs as /scratch/rsyslog/*/messages.log
but this also includes the network logs being wildcard(*
) called.
So, Is there a way i can say if the logs are coming from particular remote host or IP should go to a particular Folder in rsyslog server?
2) Here in $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
what is login for putting server-dc as this is a another Hostname, Is this gets any purpose or we can change this to something relevant considering above requirement.
3) Same server-dc also been included into another config parameters as well.
Desired
Would simply like to know if there is way i can Forward the logs for like systems , network, firewall into the separate distinct Directories like..
1 - /scratch/rsyslog/system/%HOSTNAME%/messages.log
2 - /scratch/rsyslog/network/%HOSTNAME%/messages.log
3 - /scratch/rsyslog/firewall/%HOSTNAME%/messages.log
I'm sorry for asking too much but hope you will consider this as my noviceness towards rsyslog learning , i would appreciate any help and suggestion on this ...
linux rsyslog
linux rsyslog
New contributor
New contributor
New contributor
asked 1 min ago
pygo
101
101
New contributor
New contributor
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
pygo is a new contributor. Be nice, and check out our Code of Conduct.
pygo is a new contributor. Be nice, and check out our Code of Conduct.
pygo is a new contributor. Be nice, and check out our Code of Conduct.
pygo is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f477403%2frsyslog-server-template-consideration-for-multiple-remote-hosts%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password