Could you provide configuration examples ? I don't get how to set the hostname in the outbound template.
Do I have to use http://www.rsyslog.com/doc/property_replacer.html <http://www.rsyslog.com/doc/property_replacer.html> ? -----Message initial----- > De:David Lang <[email protected] <mailto:[email protected]> > > Envoyé: mardi 30 avril 2013 12:39 > À: rsyslog-users <[email protected] > <mailto:[email protected]> > > Sujet: Re: [rsyslog] Centralized Logging and SubFolder / Directories > > On Tue, 30 Apr 2013, Thomas Macaigne wrote: > > > Hello everyone. > > > > I set up rsyslog and loganalyzer and it works wonders. > > Here are my config files: > > http://paste.ubuntu.com/5618590 <http://paste.ubuntu.com/5618590> / > > clientconf > > http://pastebin.com/M5ebsjhU <http://pastebin.com/M5ebsjhU> serverconf > > > > So the log files of clients are logged in folders named by IP. > > > > The problem is that we have multiple warehouses. So there can be multiple > > 192.168.1.1, .. > > > > What I would like is to be able to create a folder for each warehouse: > > warehouse1/192.168.1.1/*.log > > warehouse2/192.168.1.1/*.log > > > > How would one do that ? > > I googled and all I could find was > > http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory > > > > <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory> > > > > <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory> > > > > <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>> > > ; which is irrelevant for me. > > This gets tricky because of the problem of how do you figure out at the > central > host what warehouse the log came from. > > Now, I will point out that since you log based on the fromhost-ip, you are > never > going to have two systems that look like they have the same IP address as far > as > your central server is concerned. If you have multiple machines with > 192.168.1.1 > locally, they will be going through NAT of some form before they get to your > central server, and the fromhost-ip that the central server sees will be the > NAT > IP, not the real server IP (which means that all systems behind that NAT will > look the same) > > My suggestion is to move to a three tier arrangement > > local systems all log to a relay box in the same warehouse > > relay boxes format the message with fromhost-ip and add a warehose tag then > relay to your central server > > the central server then writes the files out as needed. > > As for the question of how to add the warehouse tag, there are currently two > approaches available > > 1. On the relay boxes, set the hostname field in the outbound template to > "warehouse1.%fromhost-ip", then have the central server write the logs based > on > %hostname% instead of %fromhost-ip%, they will have filenames like > warehouse1.192.168.1.1.log (with a little work with regexes in your dynafile > template you can make it warehouse1/192.168.1.1.log) > > 2. With 7.x versions of rsyslog, you can relay to your central server using > JSON > formatting, and with that you can set a variable $!warehouse-id=1 and then > have > the dynafile template on the central host use that. > > The first approach is a hack, but it will work and all log analysis tools > that > can keep the FQDN will handle it correctly. > > The second approach is more powerful, and opens the door for future tags (for > example, is this box QA, prod, DR, test, preprod, etc) but requres a much > more > recent version of rsyslog. > > David Lang_______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > <http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/professional-services > <http://www.rsyslog.com/professional-services> / > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
