I've been doing a few basic remote rsyslog services for a few months with mostly good results.
Now we want to have dozens of servers all log many different services to a central log server. Each service has its own set of challenges due to varying levels of syslog compatibility/compliance, but my main, simple (stupid?) question is...what do you do about the fact that there aren't really enough different, unique facilities to go around for all the different logs you want to keep? I thought I had found a way around this, while trying to get apache to log remotely (mixed success): http://wiki.rsyslog.com/index.php/Working_Apache_and_Rsyslog_configuration In this example, it shows: --- Now for rsyslog.conf. It's possible that other applications are logging under the local6 and local7 facilities, so we want to log based on both facility and program name. Moreover, having these logs included in multiple places would not be good, so we'll just dump them after we've pulled them out. if $syslogfacility-text == 'local6' and $programname == 'httpd' then /var/log/httpd-access_log if $syslogfacility-text == 'local6' and $programname == 'httpd' then ~ if $syslogfacility-text == 'local7' and $programname == 'httpd' then /var/log/httpd-error_log if $syslogfacility-text == 'local7' and $programname == 'httpd' then ~ ---- I literally copied and pasted (changed the log name only) the above into both the client host's rsyslog.conf and the logging server's rsyslog.conf, but what did log at all (errors only - separate issue), logged into /var/log/messages of the local server, which looks like a facility conflict to me. I just have one forwarding rule at the end of the client's ryslog.conf as follows (works for most services): *.* @@192.0.0.22:514 Lastly, I have a rule to keep listed facilities from posting to /var/log/messages on the rsyslog server: *.info;mail.none;authpriv.none;cron.none;local7.none;local6.none;local5.none;loc al1.none /var/log/messages What am I missing? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
