It was thus said that the Great [email protected] once stated:
> On Thu, 22 Dec 2011, Sean Conner wrote:
>
> > A workaround (in case an adaptation of the input module can't be made) is
> >to have rsyslog log the various facilities/levels to multicast addresses.
> >At home, my main logging system [1] forwards all the logs to 239.255.0.1 (a
> >multicast address)---that way, I can have multiple programs monitoring this
> >address [2]. For me, it wouldn't be hard to set up multiple multicast
> >addresses for various combinations of facility/level and have listeners
> >register for what they are interested in.
> >
> > Yes, it's UDP, and yes, it spams the local network with traffic, but it is
> >a work-around.
>
> this doesn't solve what I'm looking for.
>
> what I'm looking for is to have /dev/emer, /dev/info, etc and a line
> written to /dev/info would be classified one way and /dev/ememr a
> different way (this example uses severity instead of facility, but i
> figure the mechanism that does one should be able to do both)
Ah, now I get it. [3]
> by the way, with your system, you may want to look at using multicast MAC
> instead of a multicast address. the multicast address can be run through
> routers, but it requires special software to deal with it, multicast MAC
> has an IP address just like everything else on your network, and with both
> you can have multiple machines listening to the traffic (with CLUSTERIP in
> iptables on linux and the similar function on BSD you can have a farm of
> machines split the traffic between them as well)
I already have multiple machines listening in on the traffic, granted,
they're all on the same segment, but that's okay for my current setup.
-spc (I should have noted my setup is at home, and not a work environment)
> >[1] A custom syslog daemon written in C/Lua, only UDP, but supports
> > /dev/log, IPv4 and IPv6.
> >
> >[2] I have a custom "front-end" on each computer that listens on
> > 239.255.0.1 [3] and displays the entries in real time (my log volume
> > isn't so great that I can't read the display), color coded by level
> > (debug in blue, info in dark green, notice at light green, warning
> > in yellow, err in red, etc.). Makes for a neat screen saver.
[3] It's interesting that very functionality you mentioned is actually
doable with my custom syslog daemon [1]---you can specify multiple
local Unix domain sockets, and do the whatever classification you
want since the input location is part of the message as it's being
processed via Lua. [4]
[4] Not that I'm trying to sell my syslog daemon on the rsyslogd mailing
list ...
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
