-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I'm working on a centralized logging system and I'm using rsyslog as
our syslog daemon. I'm looking to accept logs from servers, routers,
switches, and other appliances. Our syslog server is a RHEL 6 system
running rsyslog 4.6.2.
For router/switch devices, syslog comes in on a single facility and
filtering is relatively easy. But when I start combining this with
other sources such as servers, I run into problems.
To start, I configured a firewall device to send syslog via udp:10003.
I can filter these via IP :
$ModLoad imudp.so
$UDPServerRun 10003
if $source == '192.168.1.1' then /logs/syslog/FWSM_ASA/192.168.1.1.log
if $source == '192.168.2.1' then /logs/syslog/FWSM_ASA/192.168.2.1.log
...
if $source == '192.168.1.1' or $source == '192.168.2.1' ... then ~
# And then the rest of the stock rsyslog.conf is below
It would be nice if I could use a template to deal with the above, but
the only way I can think to do that would be if I could filter by the
destination port, ie 10003. So I could send firewall data to 10003,
routers to 10004, etc.
For server, I was planning on using a TCP connection, eventually a TLS
TCP connection. Again, templating seems the right way to go, but my
testing thus far ended up with all of the data mixed up one way or another.
Has anyone done this? Can you share your rsyslog.conf file so I can see
how this is accomplished?
Thanks,
- --
- ---------------------------
Jason Frisvold
Network Engineer
[email protected]
- ---------------------------
"What I cannot create, I do not understand"
- Richard Feynman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2HupcACgkQO80o6DJ8UvnMFgCeNmHJ6+a+2dNaLh+8tNci+vGI
ivAAn3ZfsB6gpZBu+rp2Mwe+zQotXawL
=Hyzk
-----END PGP SIGNATURE-----
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
