rsyslog server template consideration for multiple remote hosts

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












i'm not an expert on the rsyslog configuration since i dear to ask few doubts i have about the rsyslog server i have as this is been configured by some other guys who is unfortunately not there now hence i need certain guideline and help to understand on few setting in rsyslog server:



Linux Destro is : Centos 6.8



Below is what the rsyslog.conf looks like:



# cat /etc/rsyslog.conf

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
authpriv.* ?server-dc
*.info,mail.none,authpriv.none,cron.none ?server-dc
$IncludeConfig /etc/rsyslog.d/*.conf

#*.info;mail.none;authpriv.none;cron.none /var/log/messages
#*.* @elk-rsyslog:514


Point for me to understand:



1)



$template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
enter code here


So, in the above line /scratch/rsyslog is a Directory path on the rsyslog server where we are forwarding all the logs from the unix remote hosts which crearts a directory structure following a message file like:




/scratch/rsyslog/remot1-Ser1/messages.log
/scratch/rsyslog/remot1-Ser2/messages.log



So, this works okay, However at the same time we have few network devices as well which are forwarding the network logs into the same location in a below format:




/scratch/rsyslog/Sep/messages.log
/scratch/rsyslog/Oct/messages.log



In the above case of network logs its creating a Directory by month name following a message file So, I'm looking for a way in rsyslog to define a different path for network logs as such /scratch/rsyslog/network so the network logs can be collected into a Separate Folder, reason behind this is, i'm processing these logs to Elasticsearch hence i'm using wildcard for unix logs as /scratch/rsyslog/*/messages.log but this also includes the network logs being wildcard(*) called.



So, Is there a way i can say if the logs are coming from particular remote host or IP should go to a particular Folder in rsyslog server?



2) Here in $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log" what is login for putting server-dc as this is a another Hostname, Is this gets any purpose or we can change this to something relevant considering above requirement.



3) Same server-dc also been included into another config parameters as well.



Desired



Would simply like to know if there is way i can Forward the logs for like systems , network, firewall into the separate distinct Directories like..



1 - /scratch/rsyslog/system/%HOSTNAME%/messages.log



2 - /scratch/rsyslog/network/%HOSTNAME%/messages.log



3 - /scratch/rsyslog/firewall/%HOSTNAME%/messages.log



I'm sorry for asking too much but hope you will consider this as my noviceness towards rsyslog learning , i would appreciate any help and suggestion on this ...









share







New contributor




pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    0
    down vote

    favorite












    i'm not an expert on the rsyslog configuration since i dear to ask few doubts i have about the rsyslog server i have as this is been configured by some other guys who is unfortunately not there now hence i need certain guideline and help to understand on few setting in rsyslog server:



    Linux Destro is : Centos 6.8



    Below is what the rsyslog.conf looks like:



    # cat /etc/rsyslog.conf

    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog # provides kernel logging support (previously done by rklogd)
    #$ModLoad immark # provides --MARK-- message capability
    # Provides UDP syslog reception
    $ModLoad imudp
    $UDPServerRun 514
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
    authpriv.* ?server-dc
    *.info,mail.none,authpriv.none,cron.none ?server-dc
    $IncludeConfig /etc/rsyslog.d/*.conf

    #*.info;mail.none;authpriv.none;cron.none /var/log/messages
    #*.* @elk-rsyslog:514


    Point for me to understand:



    1)



    $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
    enter code here


    So, in the above line /scratch/rsyslog is a Directory path on the rsyslog server where we are forwarding all the logs from the unix remote hosts which crearts a directory structure following a message file like:




    /scratch/rsyslog/remot1-Ser1/messages.log
    /scratch/rsyslog/remot1-Ser2/messages.log



    So, this works okay, However at the same time we have few network devices as well which are forwarding the network logs into the same location in a below format:




    /scratch/rsyslog/Sep/messages.log
    /scratch/rsyslog/Oct/messages.log



    In the above case of network logs its creating a Directory by month name following a message file So, I'm looking for a way in rsyslog to define a different path for network logs as such /scratch/rsyslog/network so the network logs can be collected into a Separate Folder, reason behind this is, i'm processing these logs to Elasticsearch hence i'm using wildcard for unix logs as /scratch/rsyslog/*/messages.log but this also includes the network logs being wildcard(*) called.



    So, Is there a way i can say if the logs are coming from particular remote host or IP should go to a particular Folder in rsyslog server?



    2) Here in $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log" what is login for putting server-dc as this is a another Hostname, Is this gets any purpose or we can change this to something relevant considering above requirement.



    3) Same server-dc also been included into another config parameters as well.



    Desired



    Would simply like to know if there is way i can Forward the logs for like systems , network, firewall into the separate distinct Directories like..



    1 - /scratch/rsyslog/system/%HOSTNAME%/messages.log



    2 - /scratch/rsyslog/network/%HOSTNAME%/messages.log



    3 - /scratch/rsyslog/firewall/%HOSTNAME%/messages.log



    I'm sorry for asking too much but hope you will consider this as my noviceness towards rsyslog learning , i would appreciate any help and suggestion on this ...









    share







    New contributor




    pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      i'm not an expert on the rsyslog configuration since i dear to ask few doubts i have about the rsyslog server i have as this is been configured by some other guys who is unfortunately not there now hence i need certain guideline and help to understand on few setting in rsyslog server:



      Linux Destro is : Centos 6.8



      Below is what the rsyslog.conf looks like:



      # cat /etc/rsyslog.conf

      $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
      $ModLoad imklog # provides kernel logging support (previously done by rklogd)
      #$ModLoad immark # provides --MARK-- message capability
      # Provides UDP syslog reception
      $ModLoad imudp
      $UDPServerRun 514
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
      $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
      authpriv.* ?server-dc
      *.info,mail.none,authpriv.none,cron.none ?server-dc
      $IncludeConfig /etc/rsyslog.d/*.conf

      #*.info;mail.none;authpriv.none;cron.none /var/log/messages
      #*.* @elk-rsyslog:514


      Point for me to understand:



      1)



      $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
      enter code here


      So, in the above line /scratch/rsyslog is a Directory path on the rsyslog server where we are forwarding all the logs from the unix remote hosts which crearts a directory structure following a message file like:




      /scratch/rsyslog/remot1-Ser1/messages.log
      /scratch/rsyslog/remot1-Ser2/messages.log



      So, this works okay, However at the same time we have few network devices as well which are forwarding the network logs into the same location in a below format:




      /scratch/rsyslog/Sep/messages.log
      /scratch/rsyslog/Oct/messages.log



      In the above case of network logs its creating a Directory by month name following a message file So, I'm looking for a way in rsyslog to define a different path for network logs as such /scratch/rsyslog/network so the network logs can be collected into a Separate Folder, reason behind this is, i'm processing these logs to Elasticsearch hence i'm using wildcard for unix logs as /scratch/rsyslog/*/messages.log but this also includes the network logs being wildcard(*) called.



      So, Is there a way i can say if the logs are coming from particular remote host or IP should go to a particular Folder in rsyslog server?



      2) Here in $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log" what is login for putting server-dc as this is a another Hostname, Is this gets any purpose or we can change this to something relevant considering above requirement.



      3) Same server-dc also been included into another config parameters as well.



      Desired



      Would simply like to know if there is way i can Forward the logs for like systems , network, firewall into the separate distinct Directories like..



      1 - /scratch/rsyslog/system/%HOSTNAME%/messages.log



      2 - /scratch/rsyslog/network/%HOSTNAME%/messages.log



      3 - /scratch/rsyslog/firewall/%HOSTNAME%/messages.log



      I'm sorry for asking too much but hope you will consider this as my noviceness towards rsyslog learning , i would appreciate any help and suggestion on this ...









      share







      New contributor




      pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      i'm not an expert on the rsyslog configuration since i dear to ask few doubts i have about the rsyslog server i have as this is been configured by some other guys who is unfortunately not there now hence i need certain guideline and help to understand on few setting in rsyslog server:



      Linux Destro is : Centos 6.8



      Below is what the rsyslog.conf looks like:



      # cat /etc/rsyslog.conf

      $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
      $ModLoad imklog # provides kernel logging support (previously done by rklogd)
      #$ModLoad immark # provides --MARK-- message capability
      # Provides UDP syslog reception
      $ModLoad imudp
      $UDPServerRun 514
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
      $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
      authpriv.* ?server-dc
      *.info,mail.none,authpriv.none,cron.none ?server-dc
      $IncludeConfig /etc/rsyslog.d/*.conf

      #*.info;mail.none;authpriv.none;cron.none /var/log/messages
      #*.* @elk-rsyslog:514


      Point for me to understand:



      1)



      $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log"
      enter code here


      So, in the above line /scratch/rsyslog is a Directory path on the rsyslog server where we are forwarding all the logs from the unix remote hosts which crearts a directory structure following a message file like:




      /scratch/rsyslog/remot1-Ser1/messages.log
      /scratch/rsyslog/remot1-Ser2/messages.log



      So, this works okay, However at the same time we have few network devices as well which are forwarding the network logs into the same location in a below format:




      /scratch/rsyslog/Sep/messages.log
      /scratch/rsyslog/Oct/messages.log



      In the above case of network logs its creating a Directory by month name following a message file So, I'm looking for a way in rsyslog to define a different path for network logs as such /scratch/rsyslog/network so the network logs can be collected into a Separate Folder, reason behind this is, i'm processing these logs to Elasticsearch hence i'm using wildcard for unix logs as /scratch/rsyslog/*/messages.log but this also includes the network logs being wildcard(*) called.



      So, Is there a way i can say if the logs are coming from particular remote host or IP should go to a particular Folder in rsyslog server?



      2) Here in $template server-dc, "/scratch/rsyslog/%HOSTNAME%/messages.log" what is login for putting server-dc as this is a another Hostname, Is this gets any purpose or we can change this to something relevant considering above requirement.



      3) Same server-dc also been included into another config parameters as well.



      Desired



      Would simply like to know if there is way i can Forward the logs for like systems , network, firewall into the separate distinct Directories like..



      1 - /scratch/rsyslog/system/%HOSTNAME%/messages.log



      2 - /scratch/rsyslog/network/%HOSTNAME%/messages.log



      3 - /scratch/rsyslog/firewall/%HOSTNAME%/messages.log



      I'm sorry for asking too much but hope you will consider this as my noviceness towards rsyslog learning , i would appreciate any help and suggestion on this ...







      linux rsyslog





      share







      New contributor




      pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share







      New contributor




      pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share



      share






      New contributor




      pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 1 min ago









      pygo

      101




      101




      New contributor




      pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      pygo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          pygo is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f477403%2frsyslog-server-template-consideration-for-multiple-remote-hosts%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          pygo is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          pygo is a new contributor. Be nice, and check out our Code of Conduct.












          pygo is a new contributor. Be nice, and check out our Code of Conduct.











          pygo is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f477403%2frsyslog-server-template-consideration-for-multiple-remote-hosts%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?