FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-23-2012, 03:13 AM
Rogelio
 
Default n00b rsyslog.conf question - how to separate local syslog from network appliance syslog?

I have several network appliances, and I want aggregate their syslog
output for later analysis. Eventually I might think about a Splunk
box, but for the interim I'm hoping to just build a CentOS 6 syslog
server and have it aggregate everything on it for quick review.

I installed rsyslog and am looking through the /etc/rsyslog.conf file
for what I configure to (a) listen for syslog input from other devices
(UDP port 514 is fine), (b) make a log, and (c) log rotate files.

(a) I see in there (if I comment it out)

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

(Obviously add an iptables rule to let this traffic in)

(b) I see options in there, but am not sure how to separate the local
logs from the remote logs. Is it something like the following?

*.*;local6.none;
auth,authpriv.none -/var/log/syslog

(c) I understand I can do if I edit
/etc/logrotate.d/MyNetworkAppliance.log. This isn't as big of a
concern right now. Just trying to figure out how to log things
separately. :/

Any suggestions on what I should do to make this work?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-23-2012, 07:26 AM
"ignasr@vault13.lt"
 
Default n00b rsyslog.conf question - how to separate local syslog from network appliance syslog?

Hello,

this is how I do it.

(c)

$template
Tdefault,"/logs/%fromhost-ip%/%syslogfacility-text%.%$YEAR%-%$MONTH%-%$DAY%.log"
$template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%
"

*.* -?Tdefault;FileFormat

(b)
Dropping not localhost. All event not from localhost are _dropped_
because of the following rule. This
is the end of the config file, dealing only with local logs:

:fromhost-ip, !isequal, "127.0.0.1" ~

#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

...and so on (standart rsyslog.conf). Mind the line breaks, if lines are
wrapped in email.

Ignas


On 2012.07.23 06:13, Rogelio wrote:
> I have several network appliances, and I want aggregate their syslog
> output for later analysis. Eventually I might think about a Splunk
> box, but for the interim I'm hoping to just build a CentOS 6 syslog
> server and have it aggregate everything on it for quick review.
>
> I installed rsyslog and am looking through the /etc/rsyslog.conf
> file for what I configure to (a) listen for syslog input from other
> devices (UDP port 514 is fine), (b) make a log, and (c) log rotate
> files.
>
> (a) I see in there (if I comment it out)
>
> # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
>
> (Obviously add an iptables rule to let this traffic in)
>
> (b) I see options in there, but am not sure how to separate the
> local logs from the remote logs. Is it something like the
> following?
>
> *.*;local6.none; auth,authpriv.none -/var/log/syslog
>
> (c) I understand I can do if I edit
> /etc/logrotate.d/MyNetworkAppliance.log. This isn't as big of a
> concern right now. Just trying to figure out how to log things
> separately. :/
>
> Any suggestions on what I should do to make this work?
> _______________________________________________ CentOS mailing list
> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
>

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org