I've been pouring over the documentation I can find for rsyslog5 and came up with the following configuration. We monitor potentially dozens of logs per hosts and prior it seemed that Severity level was the primary filtering method. I tried to do something like this:
Client side: $InputFileName /var/log/tomcat/localhost_access_log $InputFileStateFile tomcat_localhost_access_state $InputFileSeverity info $InputFileFacility local6 $InputFileTag localhost_access_log: $InputRunFileMonitor On the aggrigation server side I tried to do something like this: $template tomcat-access, "/central/$HOSTNAME%/tomcat/tomcat_access_log" if ($source != 'localhost' and $source != 'rsyslog01')\ and $syslogfacility-text == 'local6'\ and $syslogseverity-text == 'info'\ and $inputfiletag == 'localhost_access_log'\ then ?tomcat-access Communication is working and local4 stuff is being received no problem, but this seems to be getting stopped. I can't find any documentation saying that I can use $inputfiletag like this, but that is the goal. I could totally drop severity as its not really needed. I'm not trying to do any filtering of the logs, just want what exists on one side to be on the other as some logs do not follow an expected pattern or may change. I'm also open to other suggestions of how to manage potentially dozens of files and any other recommended reading. Thanks, Irene _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

