What we do is have separate templates for different types of logs (auth, "normal", cron, etc) and check the $syslogfacility-text and use a different template accordingly.
On 8/12/14, 11:26 AM, Kevin McGillicuddy wrote: > So for my network I have 3 servers and want to forward all logs to one sevrer > > On the client servers I have everything setup good > *.* > :omrelp:ipaddress:20514 > > I can see logs from that server coming into my central server, the issue is > that I want to break certain logs into certain files on the central server - > so on client 1 I would want my rootsh logs and my secure logs into 2 separate > files > > Here is my central server configuration > > # provides UDP syslog reception > $ModLoad imudp > $UDPServerRun 514 > > # provides TCP syslog reception > $ModLoad imtcp > $InputTCPServerRun 10514 > > # provides RELP syslog reception > $ModLoad imrelp > $InputRELPServerRun 20514 > > $template root_perhoste,"/var/log/hosts/%HOSTNAME%/rootsh.log" > $template syslog_perhost,"/var/log/hosts/%HOSTNAME%/syslog.log" > > rootsh.log ?root_perhost > secure ?syslog_perhost > > > I also have the last part > (rootsh.log ?root_perhost > secure ?syslog_perhost) > > Repeated in this file /etc/rsyslog.d/50-default-.conf --because I am running > central server on Ubuntu 14.04 > > So all the logs come over fine and I can see them all - but they all get > dumped into syslog.log - so when I ssh into the client server I see in the > syslog.log on the central server that an ssh connection was open but when I > switch user to root and run commands as root or have any other logs they also > show up in syslog.log and nothing ever logs to the rootsh.log - however I > know the logs are coming to the central server that are meant for that file > because they show up in syslog.log > > Also rootsh.log is not a standard log file > > Any thoughts? > > > Thanks, > Kevin McGillicuddy > Server Administrator > Sight & Sound Theatres > 717-687-4220 x2317 > [email protected]<mailto:[email protected]> > > [http://www.sight-sound.com/StaticContent/images/signature.gif]<http://www.sight-sound.com/> > [http://www.sight-sound.com/StaticContent/images/youtube.gif]<http://www.youtube.com/user/sightsoundtheatres>[http://www.sight-sound.com/StaticContent/images/facebook.gif]<http://www.facebook.com/sightsoundtheatres> > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
