On Sat, 30 Jul 2011, [email protected] wrote:
I've been doing a few basic remote rsyslog services for a few months with mostly
good results.
Now we want to have dozens of servers all log many different services to a
central
log server. Each service has its own set of challenges due to varying levels of
syslog compatibility/compliance, but my main, simple (stupid?) question
is...what
do you do about the fact that there aren't really enough different, unique
facilities to go around for all the different logs you want to keep?
facility based logging is insufficient for just about any serious logging
project. personally I act as if facility doesn't exist at all (and
frequently act as if severity doesn't exist)
I thought I had found a way around this, while trying to get apache to log
remotely (mixed success):
http://wiki.rsyslog.com/index.php/Working_Apache_and_Rsyslog_configuration
In this example, it shows:
---
Now for rsyslog.conf. It's possible that other applications are logging under
the
local6 and local7 facilities, so we want to log based on both facility and
program
name. Moreover, having these logs included in multiple places would not be good,
so we'll just dump them after we've pulled them out.
if $syslogfacility-text == 'local6' and $programname == 'httpd' then
/var/log/httpd-access_log
if $syslogfacility-text == 'local6' and $programname == 'httpd' then ~
if $syslogfacility-text == 'local7' and $programname == 'httpd' then
/var/log/httpd-error_log
if $syslogfacility-text == 'local7' and $programname == 'httpd' then ~
a simpler way to do this is:
if $syslogfacility-text == "local6" and $programname == "httpd"
then/var/log/httpd-access_log
& ~
if $syslogfacility-text == "local7" and $programname == "httpd"
then/var/log/httpd-error_log
& ~
one important thing to note is that current versions of rsyslog don't
allow strings to be delimited by ' only by " this is being fixed in the
6.3 branch, but will not be backported.
----
I literally copied and pasted (changed the log name only) the above into both
the
client host's rsyslog.conf and the logging server's rsyslog.conf, but what did
log
at all (errors only - separate issue), logged into /var/log/messages of the
local
server, which looks like a facility conflict to me.
I just have one forwarding rule at the end of the client's ryslog.conf as
follows
(works for most services):
*.* @@192.0.0.22:514
Lastly, I have a rule to keep listed facilities from posting to
/var/log/messages
on the rsyslog server:
*.info;mail.none;authpriv.none;cron.none;local7.none;local6.none;local5.none;loc
al1.none /var/log/messages
What am I missing?
I think your problem is probably ' vs "
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
