I've been pouring over the documentation I can find for rsyslog5 and came
up with the following configuration. We monitor potentially dozens of logs
per hosts and prior it seemed that Severity level was the primary filtering
method. I tried to do something like this:

Client side:

$InputFileName /var/log/tomcat/localhost_access_log
$InputFileStateFile tomcat_localhost_access_state
$InputFileSeverity info
$InputFileFacility local6
$InputFileTag localhost_access_log:
$InputRunFileMonitor

On the aggrigation server side I tried to do something like this:

$template tomcat-access, "/central/$HOSTNAME%/tomcat/tomcat_access_log"
if ($source != 'localhost' and $source != 'rsyslog01')\
and $syslogfacility-text == 'local6'\
and $syslogseverity-text == 'info'\
and $inputfiletag == 'localhost_access_log'\
then ?tomcat-access

Communication is working and local4 stuff is being received no problem, but
this seems to be getting stopped. I can't find any documentation saying
that I can use $inputfiletag like this, but that is the goal. I could
totally drop severity as its not really needed. I'm not trying to do any
filtering of the logs, just want what exists on one side to be on the other
as some logs do not follow an expected pattern or may change. I'm also open
to other suggestions of how to manage potentially dozens of files and any
other recommended reading.

Thanks,

Irene
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to