I really can"t make it work.
I added: template (name="Format2" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% warehouse1.%FROMHOST-IP% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%") and $ActionFileDefaultTemplate Format2 to my rsyslog.conf And changed %fromhost-ip% to fromhost but nothing changes in the file format. I done this all on the same box for testing. -----Message initial----- > De:David Lang <[email protected] <mailto:[email protected]> > > Envoyé: mardi 30 avril 2013 16:29 > À: rsyslog-users <[email protected] > <mailto:[email protected]> > > Sujet: Re: [rsyslog] Centralized Logging and SubFolder / Directories > > the key thing is that you don't set the hostname, you create a new template > to > use while forarding, and you put text in it so that the receiving rsyslog > will > parse it into the fields that you want. > > The default forward format template (built-in) is > > "<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% > %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%" > > if you define a new format as: > > "<%PRI%>%TIMESTAMP:::date-rfc3339% warehouse1.%FROMHOST-IP% > %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%" > > then if the relay box recieves a message from 192.168.1.1, what it will put > in > the hostname field is warehouse1.192.168.1.1 > > David Lang > > On Tue, 30 Apr 2013, Thomas Macaigne wrote: > > > Could you provide configuration examples ? > > I don't get how to set the hostname in the outbound template. > > > > > > Do I have to use http://www.rsyslog.com/doc/property_replacer.html > > <http://www.rsyslog.com/doc/property_replacer.html> > > <http://www.rsyslog.com/doc/property_replacer.html> > > <http://www.rsyslog.com/doc/property_replacer.html>> ; ? > > > > > > -----Message initial----- > >> De:David Lang <[email protected] <mailto:[email protected]> <mailto:[email protected] > >> <mailto:[email protected]> > > > >> Envoyé: mardi 30 avril 2013 12:39 > >> À: rsyslog-users <[email protected] > >> <mailto:[email protected]> <mailto:[email protected] > >> <mailto:[email protected]> > > > >> Sujet: Re: [rsyslog] Centralized Logging and SubFolder / Directories > >> > >> On Tue, 30 Apr 2013, Thomas Macaigne wrote: > >> > >>> Hello everyone. > >>> > >>> I set up rsyslog and loganalyzer and it works wonders. > >>> Here are my config files: > >>> http://paste.ubuntu.com/5618590 <http://paste.ubuntu.com/5618590> > >>> <http://paste.ubuntu.com/5618590> <http://paste.ubuntu.com/5618590>> ; > >>> / clientconf > >>> http://pastebin.com/M5ebsjhU <http://pastebin.com/M5ebsjhU> > >>> <http://pastebin.com/M5ebsjhU> <http://pastebin.com/M5ebsjhU>> ; > >>> serverconf > >>> > >>> So the log files of clients are logged in folders named by IP. > >>> > >>> The problem is that we have multiple warehouses. So there can be multiple > >>> 192.168.1.1, .. > >>> > >>> What I would like is to be able to create a folder for each warehouse: > >>> warehouse1/192.168.1.1/*.log > >>> warehouse2/192.168.1.1/*.log > >>> > >>> How would one do that ? > >>> I googled and all I could find was > >>> http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory > >>> > >>> <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory> > >>> > >>> <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory> > >>> > >>> <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>> > >>> ; > >>> <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory> > >>> > >>> <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>> > >>> ; > >>> <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>> > >>> > >>> <http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory&gt;>> > >>> ; ; which is irrelevant for me. > >> > >> This gets tricky because of the problem of how do you figure out at the > >> central > >> host what warehouse the log came from. > >> > >> Now, I will point out that since you log based on the fromhost-ip, you are > >> never > >> going to have two systems that look like they have the same IP address as > >> far as > >> your central server is concerned. If you have multiple machines with > >> 192.168.1.1 > >> locally, they will be going through NAT of some form before they get to > >> your > >> central server, and the fromhost-ip that the central server sees will be > >> the NAT > >> IP, not the real server IP (which means that all systems behind that NAT > >> will > >> look the same) > >> > >> My suggestion is to move to a three tier arrangement > >> > >> local systems all log to a relay box in the same warehouse > >> > >> relay boxes format the message with fromhost-ip and add a warehose tag then > >> relay to your central server > >> > >> the central server then writes the files out as needed. > >> > >> As for the question of how to add the warehouse tag, there are currently > >> two > >> approaches available > >> > >> 1. On the relay boxes, set the hostname field in the outbound template to > >> "warehouse1.%fromhost-ip", then have the central server write the logs > >> based on > >> %hostname% instead of %fromhost-ip%, they will have filenames like > >> warehouse1.192.168.1.1.log (with a little work with regexes in your > >> dynafile > >> template you can make it warehouse1/192.168.1.1.log) > >> > >> 2. With 7.x versions of rsyslog, you can relay to your central server > >> using JSON > >> formatting, and with that you can set a variable $!warehouse-id=1 and then > >> have > >> the dynafile template on the central host use that. > >> > >> The first approach is a hack, but it will work and all log analysis tools > >> that > >> can keep the FQDN will handle it correctly. > >> > >> The second approach is more powerful, and opens the door for future tags > >> (for > >> example, is this box QA, prod, DR, test, preprod, etc) but requres a much > >> more > >> recent version of rsyslog. > >> > >> David Lang_______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> <http://lists.adiscon.net/mailman/listinfo/rsyslog> > >> <http://lists.adiscon.net/mailman/listinfo/rsyslog> > >> <http://lists.adiscon.net/mailman/listinfo/rsyslog>> ; > >> http://www.rsyslog.com/professional-services > >> <http://www.rsyslog.com/professional-services> > >> <http://www.rsyslog.com/professional-services> > >> <http://www.rsyslog.com/professional-services>> ; / > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > <http://lists.adiscon.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/professional-services > > <http://www.rsyslog.com/professional-services> / > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT._______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > <http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/professional-services > <http://www.rsyslog.com/professional-services> / > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
