On Thu, 22 Dec 2011, Sean Conner wrote:
It was thus said that the Great [email protected] once stated:
On Thu, 22 Dec 2011, Sean Conner wrote:
A workaround (in case an adaptation of the input module can't be made) is
to have rsyslog log the various facilities/levels to multicast addresses.
At home, my main logging system [1] forwards all the logs to 239.255.0.1 (a
multicast address)---that way, I can have multiple programs monitoring this
address [2]. For me, it wouldn't be hard to set up multiple multicast
addresses for various combinations of facility/level and have listeners
register for what they are interested in.
Yes, it's UDP, and yes, it spams the local network with traffic, but it is
a work-around.
this doesn't solve what I'm looking for.
what I'm looking for is to have /dev/emer, /dev/info, etc and a line
written to /dev/info would be classified one way and /dev/ememr a
different way (this example uses severity instead of facility, but i
figure the mechanism that does one should be able to do both)
Ah, now I get it. [3]
by the way, with your system, you may want to look at using multicast MAC
instead of a multicast address. the multicast address can be run through
routers, but it requires special software to deal with it, multicast MAC
has an IP address just like everything else on your network, and with both
you can have multiple machines listening to the traffic (with CLUSTERIP in
iptables on linux and the similar function on BSD you can have a farm of
machines split the traffic between them as well)
I already have multiple machines listening in on the traffic, granted,
they're all on the same segment, but that's okay for my current setup.
I was meaning that you could have two machines listening, each processing
half the messages.
-spc (I should have noted my setup is at home, and not a work environment)
[1] A custom syslog daemon written in C/Lua, only UDP, but supports
/dev/log, IPv4 and IPv6.
[2] I have a custom "front-end" on each computer that listens on
239.255.0.1 [3] and displays the entries in real time (my log volume
isn't so great that I can't read the display), color coded by level
(debug in blue, info in dark green, notice at light green, warning
in yellow, err in red, etc.). Makes for a neat screen saver.
[3] It's interesting that very functionality you mentioned is actually
doable with my custom syslog daemon [1]---you can specify multiple
local Unix domain sockets, and do the whatever classification you
want since the input location is part of the message as it's being
processed via Lua. [4]
[4] Not that I'm trying to sell my syslog daemon on the rsyslogd mailing
list ...
thanks for the info, I'll be looking in to it.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
