2014-12-10 19:00 GMT+01:00 Walzer, Jeff R <[email protected]>: > Quick setup: Have five log sources that send syslog to a syslog server > (running rsyslog), which then sends syslog to Splunk server (also running > rsyslog) > > Trying to split syslog coming from syslog server to Splunk into separate > files. Here's the rsyslog on Splunk server: > > # send all messages from XXX Manager and YYY to a specific files > if $hostname contains 'xxx' > then /syslog/xxx/%$YEAR%/%$MONTH%/xxx-%$YEAR%%$MONTH%%$DAY%.log > else /syslog/yyy/%$YEAR%/%$MONTH%/yyy-%$YEAR%%$MONTH%%$DAY%.log > & ~ > > Here's snippets of rsyslog on syslog server: > > # Provides TCP syslog reception > $ModLoad imtcp.so > $InputTCPServerBindRuleset remote > #$InputTCPServerRun 514 > > $RuleSet remote > $template DynaFile,"/syslog/%HOSTNAME%/%HOSTNAME%" > *.* -?DynaFile > > # Forwarding rule for remote to Splunk server > *.* @@x.x.x.x:514 > > $InputUDPServerBindRuleset remote > $UDPServerRun 514 > > My question lies in the syntax in Splunk's rsyslog. Is the if|then|else > statement correct? Basically want any message related to xxx going to file > for xxx, and any messages from yyy going to file for yyy. > > Running rsyslogd 5.8.10 on both servers >
I think you need at least v7, probably 8 for "else". Make sure you record "syslog.*" messages so that you can see startup error messages (I am sure rsyslog spits out quite a lot of them ;)). HTH Rainer > > Thx, > Jeff > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
