On Wed, 4 Feb 2015, Asif Iqbal wrote:
On Feb 3, 2015 9:10 PM, "David Lang" <[email protected]> wrote:
On Tue, 3 Feb 2015, Asif Iqbal wrote:
Hi All,
I am using local0,local1,.. facilities as my filter, so I have only 8
filters. I have more than 8 types
of devices I receive log from.
Is it possible to start a second rsyslogd instances listening on another
IPv4 IP, so I can get 8 more
locals?
I went through the man page and I do not if I can have multiple rsyslogd
running on different IPs.
Is it possible? I rather stick with traditional filtering and go with
mutiple rsyslogd instances on
seprate IPs. I am not planning to run multiple containers to fix this. I
rather not start with syslog-ng
to achieve this and keep it as standard centos install as possible.
I am using centos 6. Currently I am on rsyslog 5.8.10 which comes with
centos 6.
as long as you never mix logs from your different instances of rsyslog
then what's local0 doesn't need to have anything to do with what's local0
in another.
but if you ever have the logs touch, there is no way to tell the
difference between the different local0s that you've created.
But why are you wanting to limit yourself to using facility/severity
filtering?
you can filter on anything else (a very common thing is to filter on the
programname), which is far more powerful.
When you deliver logs between machines you can even filter on multiple
conditions, so you can filter on the combination of hostname and
programname.
David Lang
I am receiving logs from around 200 network elements.
How do I start a second rsyslogd? Is it some parameter in config file where
I can define a second IP to bind to like in syslog-ng?
in the input() statement you can specify the IP address, on the command line you
will need to specify a unique config file and pid file for each copy. There are
other things that can trip you up as well (depending on what other features you
use)
but with 200 things sending you logs, you will end up having to run 25 copies of
rsyslog (assuming that you give each of them a unique local# id). why not just
filter on the hostname or IP address instead?
you can even use that hostname/ip address in a filename template and with two
lines in one copy of rsyslog have each network device be output into it's own
file.
Why not explain a bit more about what you are trying to do and let's see if we
can easily do it with one copy of rsyslog instead of 25 (or more)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
