On Wed, 7 May 2014, Josh Bitto wrote:
After looking at it yeah I have to agree.
Do have another problem though that I'm trying to figure out.
When configuring templates to write incoming logs to a file, I'm accustom to
the legacy version where you do something like...
$template name,"/var/log/pathtofile.log"
If
{conditions}
Then {?name
Stop
}
I've looked at the template documentation and the default template example
given, but a little confused as to actually write to a file. Or am I
misinterpreting the function that it does.
well, everything there except the write to the file is the new syntax :-)
? is only needed if you are doing a dynamic filename, and you can continue to
use it as you always have
www.rsyslog.com/doc/omfile.html
in the new action() format, you set DynaFile='template' instead of
file='filename'
David Lang
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Wednesday, May 07, 2014 12:44 PM
To: rsyslog-users
Subject: Re: [rsyslog] Rsyslog w/ logstash-elasticsearch-kibana server
at my old job we had ossec configured to send to rsyslog
personally I really dislike the 'write to a file and then scrape it with
another program' approach to logs
Yes, it handles cases where your logserver is down, but you should have HA so
that's a very rare case.
But it causes a bunch of headaches
1. a lot more disk I/O
2. polling to check if the file has changed
3. headaches if the files roll too fast
4. problems deciding when you can delete the files
It's just so much easier to pass the data directly to rsyslog and let it deal
with everything :-)
David Lang
On Wed, 7 May 2014, Josh Bitto wrote:
Date: Wed, 7 May 2014 09:44:43 -0700
From: Josh Bitto <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Rsyslog w/ logstash-elasticsearch-kibana server
Hello Everyone and Good Morning!
I have a new question for you all. Does anyone have this current setup with an
OSSEC server as well? I'm wondering which would be the better option to do.
Just create an imfile for Rsyslog to monitor the logs from OSSEC or forward
them to rsyslog. I'm curious to find out if anyone else has this implemented
too!
Josh
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
