Hello Rsyslog list recipients, I'm sending out a call for help since I'm a bit desperate with a rather complex Rsyslog configuration (I think). Therefore I thank you for your time and help in advance! :)
Directory contents of /etc/rsyslog.d/ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ 4 drwxr-xr-x 100 root root 4096 2012-12-18 16:55 ../ 4 -rw-r--r-- 1 root root 2113 2012-12-21 10:30 05-dailyperhostlogs.conf.TESTING 4 drwxr-xr-x 2 root root 4096 2012-08-28 13:08 ./ 4 -rw-r--r-- 1 root root 1801 2012-06-15 17:24 50-default.conf 4 -rw-r--r-- 1 root root 870 2012-06-15 17:21 10-octopussy.conf 4 -rw-r--r-- 1 root root 379 2011-09-08 16:11 05-dailyperhostlogs.conf +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ The main questions are already within the following file preceded by '###'. What I want to achieve is basically to write log data from hosts to '/srv/log/%HOSTNAME%/', which the first template is ment to achieve. I also want to write logs from some hosts named 'spamvir[0-100].*', 'relay [0-100].*', 'XXX.XXX.XXX.*' (some IP not disclosed) and 'frontvir[12].*' to the locations defined within the templates. The problem is that I'm not sure with 1) the filters, 2) the catch-all directive, 3) the discard action and 4) the thing with DailyPerRelays. Can you provide me with some hints on this, please? File contents of 05-dailyperhostlogs.conf.TESTING: +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ # Syslog-System specific configuration file for Logs stored in "/srv/log" by # rsyslog. # Set ownerships, etc. # $FileOwner syslog $FileGroup syslog $FileCreateMode 0640 $DirCreateMode 0750 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # Define templates for output. # $template DailyPerHostLogs, "/srv/log/%HOSTNAME%/%$YEAR%/%$MONTH%/%HOSTNAME%_%$YEAR%-%$MONTH%-%$DAY%_%syslogfacility-text%.log" $template DailyPerSpamvirIn, "/srv/log/SPAMVIR/day-%$DAY%/main_panic-in.log" $template DailyPerSpamvirOut, "/srv/log/SPAMVIR/day-%$DAY%/main_panic-out.log" $template DailyPerSpamvirCont, "/srv/log/SPAMVIR/day-%$DAY%/main_panic-cont.log" $template DailyPerSpamvirSa, "/srv/log/SPAMVIR/day-%$DAY%/spamassassin.log" $template DailyPerSpamvirSaErr, "/srv/log/SPAMVIR/day-%$DAY%/spamassassin-error.log" $template DailyPerRelays, "/srv/log/RELAYS/day-%$DAY%/main_panic.log" $template DailyPerFrontvir, "/srv/log/SPAMVIR/day-%$DAY%/frontvir.log" ### Can I filter for exim4 or postfix MTA that way? Maybe that should ### be put somewhere else then? #if $template contains 'exim' then "/var/log/SPAMVIR/day-%$DAY%/main_panic-FOO.log" # Write logs to template. # *.info -?DailyPerHostLogs ### Is the *.* catch-all (line below) directive required prior to the ### :fromhost-blubb? Dunno! Does it override the *.info (line above)? #*.* -?DailyPerSpamvirIn *.info :fromhost-ip, regex, "^spamvir[0-100].*$", contains, "exim" -?DailyPerSpamvirIn ### Are these "discard actions" (& ~ ) actually required in hrere? ### I'm not sure about them at all. What do they mean at all? & ~ *. info :fromhost-ip, regex, "^spamvir[0-100].*$" -?DailyPerSpamvirOut & ~ *.info :fromhost-ip, regex, "^spamvir[0-100].*$" -?DailyPerSpamvirCont & ~ :fromhost-ip, regex, "^spamvir[0-100].*$" -?DailyPerSpamvirSa & ~ :fromhost-ip, regex, "^spamvir[0-100].*$" -?DailyPerSpamvirSaErr & ~ ### The relay configuration may cause problems since all facilities ### are then aggregated to one single "DailyPerRelays"-destination ### file. Right? :fromhost-ip, regex, "^relay[0-100].*$" -?DailyPerRelays & ~ :fromhost-ip, regex, "^XXX.XXX.XXX.*$" -?DailyPerRelays & ~ :fromhost-ip, regex, "^frontvir[12].*$" -?DailyPerFrontvir & ~ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ +++ Best regards, Mathias Hollstein Claranet GmbH -- [email protected] Tel: +49 (69) 408018-369 Fax: +49 (69) 408018-339 Claranet GmbH Hanauer Landstraße 196 60314 Frankfurt am Main Geschäftsführung Olaf Fischer Hrb 50381 AG Frankfurt am Main Vat-ID de 812918694 http://www.claranet.de _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
