![]() ![]() # Don't log private authentication messages! # Log anything (except mail) of level info or higher. ![]() # Logging much else clutters up the screen. # Log all kernel messages to the console. $ActionFileDefaultTemplate RSYSLOG_FileFormat $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad imuxsock # provides support for local system logging (e.g. In rsyslog5, then you can split the config out using rulesets, and even split out based on that incoming port: # rsyslog v5 configuration file If you can upgrade to that I would, as it is much more logical to run in the configuration file. RHEL 5.9 did ship with a rsyslog 5 version in package rsyslog5. It only supports compatibility up to -c 3. Rsyslog 3.22 is not going to support -c 5. $template DailyPerHostLogs,"/opt/netlogs/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%%$HOUR%.log" Uucp,news.crit /var/log/spooler Save boot messages also to boot.log *.emerg * Save news errors of level crit and higher in a special file. *.info mail.none authpriv.none cron.none /var/log/messages The authpriv file has restricted access.Īuthpriv.* /var/log/secure Log all the mail messages in one place.Ĭron.* /var/log/cron Everybody gets emergency messages Don't log private authentication messages! kern.* /dev/console Log anything (except mail) of level info or higher. Logging much else clutters up the screen. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat - Log all kernel messages to the console. $DirGroup root - Use traditional timestamp format $UDPServerRun 10514 $UDPServerRun 10515 $UDPServerRun 10516 $UDPServerRun 10517 $UDPServerRun 10518 - GLOBAL DIRECTIVES $ModLoad imuxsock - Provides UDP syslog reception $ModLoad imklog Provides support for local system logging (e.g. Provides kernel logging support (previously done by rklogd) Syslog-ng is not an option, as it is not approved software. Looking for an actual real world "working" nf and matching UF nf. However,what I do test with (from Mac or RHEL /var/log files) using nc and logger does break it out by host, but it also copies it to /var/log/messages even when connecting with "nc -u 192.168.56.50 10514".Īppreciate any help or pointers to other answers. The config below does work, but I don't have "matching" sample data to test with logger or nc. I have manually run it with -c3 and it cleans up the errors in the logs, but no joy on filtering and breaking out the configs to the degree I am looking for. It yells at me to use -c3 to eliminate backwards compatibility due to that causing other issues. I also notice everytime I start rsyslog it runs the -c 5 option in for backwards compatibility. Everyone seems to have switched to the new context in the nf file, which I am not entirely sure is supported in rsyslog v3.22. We are running into issues with the older style selector/rule contexts. Have 500GB coming in daily, so we can only keep 12 hours or so on the rsyslog server for "buffer". Will use log rotate to clean up after ingest by UF. Need a nf example with filters to break out the 514 data sources into directories by hostname. The log sources go to an log repeater, which we can forward on any port to the rsyslog/UF. We have 5-6 data sources coming in on two different UDP ports.ĥ14 contains 4-5 of these data sources (Cisco FWSM, DNS, routers, swithes, etc) I have searched splunk-base extensively for example configurations. I have little to no knowledge of rsyslog. Universal Forwarder installed, with the intention of monitoring logs processed by rsyslog. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |