On Tue, 2014-08-12 at 21:27 +0300, Ivan Lezhnjov IV wrote: > This is similar to what I want to figure out how to do. > > As somebody explained it here for me -- it was also mentioned somewhere in > documentation -- the trick is apparently to process messages destined for > remote server only first, then discard them. > > Ivan > > On Aug 12, 2014, at 7:26 PM, James Lay <[email protected]> wrote: > > > On 2014-08-12 06:43, James Lay wrote: > >> Hi Everyone. > >> > >> I've been having one heck of a time trying to get a file to go to a > >> remote syslog server ONLY. Here's my setup...a standard rsyslog.conf > >> with one addition: > >> > >> > >> auth,authpriv.* /var/log/auth.log > >> *.*;auth,authpriv.none -/var/log/syslog > >> kern.* -/var/log/kern.log > >> mail.* -/var/log/mail.log > >> *.* @10.1.1.1 > >> mail.err /var/log/mail.err > >> > >> news.crit /var/log/news/news.crit > >> news.err /var/log/news/news.err > >> news.notice -/var/log/news/news.notice > >> > >> *.emerg :omusrmsg:* > >> > >> daemon.*;mail.*;\ > >> news.err;\ > >> *.=debug;*.=info;\ > >> *.=notice;*.=warn |/dev/xconsole > >> > >> This logs all messages to a remote server. So far so good. Now...I'd > >> like to send a completely different log file to a different remote > >> server. I tried creating /etc/rsyslog.d/60-bro.conf and it contains: > >> > >> > >> $ModLoad imfile # > >> $InputFileName /media/backup/bro/current/conn.log > >> $InputFileTag bro_conn: > >> $InputFileStateFile stat-bro_conn > >> $InputFileSeverity info > >> $InputFileFacility local7 > >> $InputRunFileMonitor > >> #check for new lines every second > >> $InputFilePollingInterval 1 > >> local7.* @10.0.0.2:6514 > >> > >> But as soon as I restart rsyslog I see my conn.log file going to > >> 10.1.1.1 as well. Is there something I'm missing to get this to NOT go > >> to 10.1.1.1? Thank you.
Thanks Ivan...I'll search the list archives and see what I can find. James _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
