Ping...
were you able to get this to work?
David Lang
On Fri, 3 May 2013, David Lang wrote:
Date: Fri, 3 May 2013 11:55:46 -0700 (PDT)
From: David Lang <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Centralized Logging and SubFolder / Directories
On Thu, 2 May 2013, Thomas Macaigne wrote:
Date: Thu, 2 May 2013 09:24:06 +0200
From: Thomas Macaigne <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Centralized Logging and SubFolder / Directories
I really can"t make it work.
I added:
template (name="Format2" type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339% warehouse1.%FROMHOST-IP%
%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%")
and
$ActionFileDefaultTemplate Format2
This is on the sending system, correct?
to my rsyslog.conf
And changed %fromhost-ip% to fromhost but nothing changes in the file
format.
I done this all on the same box for testing.
it should be %hostname% not %fromhost%
Also, if you create a log with the format RSYSLOG_DebugFormat you will see
all the values that are set.
David Lang
-----Message initial-----
De:David Lang <[email protected] <mailto:[email protected]> >
Envoy?: mardi 30 avril 2013 16:29
?: rsyslog-users <[email protected]
<mailto:[email protected]> >
Sujet: Re: [rsyslog] Centralized Logging and SubFolder / Directories
the key thing is that you don't set the hostname, you create a new
template to
use while forarding, and you put text in it so that the receiving rsyslog
will
parse it into the fields that you want.
The default forward format template (built-in) is
"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME%
%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
if you define a new format as:
"<%PRI%>%TIMESTAMP:::date-rfc3339% warehouse1.%FROMHOST-IP%
%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
then if the relay box recieves a message from 192.168.1.1, what it will
put in
the hostname field is warehouse1.192.168.1.1
David Lang
On Tue, 30 Apr 2013, Thomas Macaigne wrote:
Could you provide configuration examples ?
I don't get how to set the hostname in the outbound template.
Do I have to use http://www.rsyslog.com/doc/property_replacer.html
<http://www.rsyslog.com/doc/property_replacer.html>
<http://www.rsyslog.com/doc/property_replacer.html>
<http://www.rsyslog.com/doc/property_replacer.html>> ; ?
-----Message initial-----
De:David Lang <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]> > >
Envoy?: mardi 30 avril 2013 12:39
?: rsyslog-users <[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]> > >
Sujet: Re: [rsyslog] Centralized Logging and SubFolder / Directories
On Tue, 30 Apr 2013, Thomas Macaigne wrote:
Hello everyone.
I set up rsyslog and loganalyzer and it works wonders.
Here are my config files:
http://paste.ubuntu.com/5618590 <http://paste.ubuntu.com/5618590>
<http://paste.ubuntu.com/5618590> <http://paste.ubuntu.com/5618590>>
; / clientconf
http://pastebin.com/M5ebsjhU <http://pastebin.com/M5ebsjhU>
<http://pastebin.com/M5ebsjhU> <http://pastebin.com/M5ebsjhU>> ;
serverconf
So the log files of clients are logged in folders named by IP.
The problem is that we have multiple warehouses. So there can be
multiple 192.168.1.1, ..
What I would like is to be able to create a folder for each warehouse:
warehouse1/192.168.1.1/*.log
warehouse2/192.168.1.1/*.log
How would one do that ?
I googled and all I could find
was http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>>
;
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>>
;
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory>>
<http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated_by_dynamic_directory&gt;>>
; ; which is irrelevant for me.
This gets tricky because of the problem of how do you figure out at the
central
host what warehouse the log came from.
Now, I will point out that since you log based on the fromhost-ip, you
are never
going to have two systems that look like they have the same IP address
as far as
your central server is concerned. If you have multiple machines with
192.168.1.1
locally, they will be going through NAT of some form before they get to
your
central server, and the fromhost-ip that the central server sees will be
the NAT
IP, not the real server IP (which means that all systems behind that NAT
will
look the same)
My suggestion is to move to a three tier arrangement
local systems all log to a relay box in the same warehouse
relay boxes format the message with fromhost-ip and add a warehose tag
then
relay to your central server
the central server then writes the files out as needed.
As for the question of how to add the warehouse tag, there are currently
two
approaches available
1. On the relay boxes, set the hostname field in the outbound template
to
"warehouse1.%fromhost-ip", then have the central server write the logs
based on
%hostname% instead of %fromhost-ip%, they will have filenames like
warehouse1.192.168.1.1.log (with a little work with regexes in your
dynafile
template you can make it warehouse1/192.168.1.1.log)
2. With 7.x versions of rsyslog, you can relay to your central server
using JSON
formatting, and with that you can set a variable $!warehouse-id=1 and
then have
the dynafile template on the central host use that.
The first approach is a hack, but it will work and all log analysis
tools that
can keep the FQDN will handle it correctly.
The second approach is more powerful, and opens the door for future tags
(for
example, is this box QA, prod, DR, test, preprod, etc) but requres a
much more
recent version of rsyslog.
David Lang_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
<http://lists.adiscon.net/mailman/listinfo/rsyslog>
<http://lists.adiscon.net/mailman/listinfo/rsyslog>
<http://lists.adiscon.net/mailman/listinfo/rsyslog>> ;
http://www.rsyslog.com/professional-services
<http://www.rsyslog.com/professional-services>
<http://www.rsyslog.com/professional-services>
<http://www.rsyslog.com/professional-services>> ; /
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/professional-services
<http://www.rsyslog.com/professional-services> /
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT._______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/professional-services
<http://www.rsyslog.com/professional-services> /
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
