On Wed, Feb 4, 2015 at 12:57 AM, David Lang <[email protected]> wrote: > On Wed, 4 Feb 2015, Asif Iqbal wrote: > > On Feb 3, 2015 9:10 PM, "David Lang" <[email protected]> wrote: >> >>> >>> On Tue, 3 Feb 2015, Asif Iqbal wrote: >>> >>> Hi All, >>>> >>>> I am using local0,local1,.. facilities as my filter, so I have only 8 >>>> filters. I have more than 8 types >>>> of devices I receive log from. >>>> >>>> Is it possible to start a second rsyslogd instances listening on another >>>> IPv4 IP, so I can get 8 more >>>> locals? >>>> >>>> I went through the man page and I do not if I can have multiple rsyslogd >>>> running on different IPs. >>>> >>>> Is it possible? I rather stick with traditional filtering and go with >>>> mutiple rsyslogd instances on >>>> seprate IPs. I am not planning to run multiple containers to fix this. I >>>> rather not start with syslog-ng >>>> to achieve this and keep it as standard centos install as possible. >>>> >>>> I am using centos 6. Currently I am on rsyslog 5.8.10 which comes with >>>> centos 6. >>>> >>> >>> >>> as long as you never mix logs from your different instances of rsyslog >>> >> then what's local0 doesn't need to have anything to do with what's local0 >> in another. >> >>> >>> but if you ever have the logs touch, there is no way to tell the >>> >> difference between the different local0s that you've created. >> >>> >>> But why are you wanting to limit yourself to using facility/severity >>> >> filtering? >> >>> >>> you can filter on anything else (a very common thing is to filter on the >>> >> programname), which is far more powerful. >> >>> >>> When you deliver logs between machines you can even filter on multiple >>> >> conditions, so you can filter on the combination of hostname and >> programname. >> >>> >>> David Lang >>> >>> >> I am receiving logs from around 200 network elements. >> >> How do I start a second rsyslogd? Is it some parameter in config file >> where >> I can define a second IP to bind to like in syslog-ng? >> > > in the input() statement you can specify the IP address, on the command > line you will need to specify a unique config file and pid file for each > copy. There are other things that can trip you up as well (depending on > what other features you use) >
I am not seeing any input() statement in rsyslog.conf. Are you referring to imudp may be? Not sure where in imudp do I put the IP. Yes I know I will need to make sure there will be separate config file and pid file. I am doing that for other processes like sshd, tac_plus and others. > > but with 200 things sending you logs, you will end up having to run 25 > copies of rsyslog (assuming that you give each of them a unique local# id). > why not just filter on the hostname or IP address instead? > > No I will need 16 different local filters. So I will be running only two instances of rsyslogd > you can even use that hostname/ip address in a filename template and with > two lines in one copy of rsyslog have each network device be output into > it's own file. > > I am aware of that and using template as well to avoid log rotate and just place the file in right folder based on year and day Why not explain a bit more about what you are trying to do and let's see if > we can easily do it with one copy of rsyslog instead of 25 (or more) > > David Lang > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
