----- Original Message ----- > From: [email protected] > To: "rsyslog-users" <[email protected]> > Sent: Wednesday, August 29, 2012 4:37:07 PM > Subject: Re: [rsyslog] write local logs locally, only spoof/forward incoming > logs > > On Wed, 29 Aug 2012, Rick Brown wrote: > > > I've recently setup two new redundant rsyslog servers to replace > > the > > single server I previously had. Unfortunately, not all clients out > > there can log to two locations. In order to get said client's > > syslog > > messages to both servers, I've left the original single server in > > place, > > and using the omudpspoof module, I am relaying all incoming > > messages to > > both of the new servers. > > > > What I haven't yet been able to figure out is how to write log > > files for > > all messages from localhost into the appropriate kern.log, > > auth.log, > > mail.log, etc.. and only forward messages from other hosts - ie: > > not > > write them to log files locally. > > > > I've found :fromhost-ip, isqual directive, but that only writes to > > one file. > > > > Essentially the local I'm looking for is something like: > > > > if fromhost-ip isequal "127.0.0.1" > > then > > auth,authpriv.* /var/log/auth.log > > kern.* /var/log/kern.log > > mail.* /var/log/mail.log > > cron.* /var/log/cron.log > > *.debug;auth,authpriv,kern,mail,cron.none /var/log/messages > > daemon.* /var/log/daemon.log > > local7.* /var/log/boot.log > > > > mark.* /dev/console > > *.emerg * > > else > > #### Mirror to scribe1 > > $ModLoad omudpspoof > > $ActionOMUDPSpoofTargetHost x.y.z.123 > > *.* :omudpspoof: > > #### mirror to scribe2 > > $ActionOMUDPSpoofTargetHost x.y.z.219 > > *.* :omudpspoof: > > fi > > > > Has anyone else done similar and/or can provide some guidance on > > how to accomplish this? > > take a look at the discard option ("~"), put in all your forwarding > rules > and then discard the message if it's not from 127.0.0.1 > > your other option is to use rulesets to allow you to have one > conditional > that then forwards you to a chain of rules.
Thanks! #### Mirror to scribe1 $ModLoad omudpspoof $ActionOMUDPSpoofTargetHost x.y.z.123 *.* :omudpspoof: #### mirror to scribe2 $ActionOMUDPSpoofTargetHost x.y.z.219 *.* :omudpspoof: :fromhost-ip, !isequal, "127.0.0.1" ~ auth,authpriv.* -/var/log/auth.log kern.* -/var/log/kern.log mail.* -/var/log/mail.log cron.* -/var/log/cron.log *.debug;auth,authpriv,kern,mail,cron.none -/var/log/messages daemon.* -/var/log/daemon.log local7.* -/var/log/boot.log mark.* /dev/console *.emerg * works like a champ. -- Rick Brown Office of Information Technology Georgia Institute of Technology 258 4th Street N.W. Atlanta, GA 30332-0715 email: [email protected] ph: (404) 894-6175 Calendar: https://mail.gatech.edu/home/[email protected]?fmt=freebusy _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
