On Tue, 30 Apr 2013, Thomas Macaigne wrote:
Thanks for that answer.
Now, I have a question about my configuration:
Why is only syslog.log being sent to my syslog server ?
In my config it's *.* @<server_ip>
I'm not sure what you mean. This will send everything to the remote server. What
do you think you aren't getting?
David Lang
Thanks
-----Message initial-----
De:David Lang <[email protected] <mailto:[email protected]> >
Envoyé: mardi 30 avril 2013 12:39
À: rsyslog-users <[email protected] <mailto:[email protected]> >
Sujet: Re: [rsyslog] Centralized Logging and SubFolder / Directories
On Tue, 30 Apr 2013, Thomas Macaigne wrote:
Hello everyone.
I set up rsyslog and loganalyzer and it works wonders.
Here are my config files:
http://paste.ubuntu.com/5618590 <http://paste.ubuntu.com/5618590> / clientconf
http://pastebin.com/M5ebsjhU <http://pastebin.com/M5ebsjhU> serverconf
So the log files of clients are logged in folders named by IP.
The problem is that we have multiple warehouses. So there can be multiple
192.168.1.1, ..
What I would like is to be able to create a folder for each warehouse:
warehouse1/192.168.1.1/*.log
warehouse2/192.168.1.1/*.log
How would one do that ?
I googled and all I could find was
http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>>
; which is irrelevant for me.
This gets tricky because of the problem of how do you figure out at the central
host what warehouse the log came from.
Now, I will point out that since you log based on the fromhost-ip, you are never
going to have two systems that look like they have the same IP address as far as
your central server is concerned. If you have multiple machines with 192.168.1.1
locally, they will be going through NAT of some form before they get to your
central server, and the fromhost-ip that the central server sees will be the NAT
IP, not the real server IP (which means that all systems behind that NAT will
look the same)
My suggestion is to move to a three tier arrangement
local systems all log to a relay box in the same warehouse
relay boxes format the message with fromhost-ip and add a warehose tag then
relay to your central server
the central server then writes the files out as needed.
As for the question of how to add the warehouse tag, there are currently two
approaches available
1. On the relay boxes, set the hostname field in the outbound template to
"warehouse1.%fromhost-ip", then have the central server write the logs based on
%hostname% instead of %fromhost-ip%, they will have filenames like
warehouse1.192.168.1.1.log (with a little work with regexes in your dynafile
template you can make it warehouse1/192.168.1.1.log)
2. With 7.x versions of rsyslog, you can relay to your central server using JSON
formatting, and with that you can set a variable $!warehouse-id=1 and then have
the dynafile template on the central host use that.
The first approach is a hack, but it will work and all log analysis tools that
can keep the FQDN will handle it correctly.
The second approach is more powerful, and opens the door for future tags (for
example, is this box QA, prod, DR, test, preprod, etc) but requres a much more
recent version of rsyslog.
David Lang_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/professional-services
<http://www.rsyslog.com/professional-services> /
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
