Quick setup: Have five log sources that send syslog to a syslog server (running rsyslog), which then sends syslog to Splunk server (also running rsyslog)
Trying to split syslog coming from syslog server to Splunk into separate files. Here's the rsyslog on Splunk server: # send all messages from XXX Manager and YYY to a specific files if $hostname contains 'xxx' then /syslog/xxx/%$YEAR%/%$MONTH%/xxx-%$YEAR%%$MONTH%%$DAY%.log else /syslog/yyy/%$YEAR%/%$MONTH%/yyy-%$YEAR%%$MONTH%%$DAY%.log & ~ Here's snippets of rsyslog on syslog server: # Provides TCP syslog reception $ModLoad imtcp.so $InputTCPServerBindRuleset remote #$InputTCPServerRun 514 $RuleSet remote $template DynaFile,"/syslog/%HOSTNAME%/%HOSTNAME%" *.* -?DynaFile # Forwarding rule for remote to Splunk server *.* @@x.x.x.x:514 $InputUDPServerBindRuleset remote $UDPServerRun 514 My question lies in the syntax in Splunk's rsyslog. Is the if|then|else statement correct? Basically want any message related to xxx going to file for xxx, and any messages from yyy going to file for yyy. Running rsyslogd 5.8.10 on both servers Thx, Jeff _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
