On Wed, Feb 4, 2015 at 11:06 AM, David Lang <[email protected]> wrote: > On Wed, 4 Feb 2015, Asif Iqbal wrote: > > >>>>> I am receiving logs from around 200 network elements. >>>> >>>> How do I start a second rsyslogd? Is it some parameter in config file >>>> where >>>> I can define a second IP to bind to like in syslog-ng? >>>> >>>> >>> in the input() statement you can specify the IP address, on the command >>> line you will need to specify a unique config file and pid file for each >>> copy. There are other things that can trip you up as well (depending on >>> what other features you use) >>> >>> >> I am not seeing any input() statement in rsyslog.conf. Are you referring >> to >> imudp may be? Not sure where >> in imudp do I put the IP. Yes I know I will need to make sure there will >> be >> separate config file and pid file. >> >> I am doing that for other processes like sshd, tac_plus and others. >> > > rsyslog v5.8 is ancient and has not been supported by the community for > several years. You should upgrade to a currently supported version if you > are going to be asking for help doing complex and unusual things. >
I agree. I am surprised why centos 6 latest still come with such a old rsyslog. > > Read through the documentation on your system for the imudp and imtcp > modules. the documentation that you find online is going to mostly cover > the more current versions, which include a better config format for > expressing comples things. > > Sure. Thanks for your help > but with 200 things sending you logs, you will end up having to run 25 >>> copies of rsyslog (assuming that you give each of them a unique local# >>> id). >>> why not just filter on the hostname or IP address instead? >>> >>> >>> No I will need 16 different local filters. So I will be running only two >> instances of rsyslogd >> > > by the way, you need to recognize that there's nothing magic about the > local* facilities. You can have your applications use any facility that you > want. As long as you don't have something else useing it and are willing to > put up with the confusion in names (which should be less than having local0 > mean two things) > > I am absolutely aware of that. We have been using syslog for 13 yrs and we have a fixed local facility for specific network elements. Like we always use local7 for cisco. But now we have more than 8 type of vendors and to accomodate we need multiples of 8 by adding second instance of syslog daemon > For example, I really doubt that you have lpr, news, uucp, or clock > facilities in use on your systems. > > You are absolutely right. However, we have those reserved for system logs and using locals for network element syslogs. Just how we have it now, does not mean we are not recognizing your hints. I will be going through the imudp to find out how to bind to a fixed IP/port for a syslog daemon. Thanks a lot! > David Lang > > > >> you can even use that hostname/ip address in a filename template and with >>> two lines in one copy of rsyslog have each network device be output into >>> it's own file. >>> >>> >>> I am aware of that and using template as well to avoid log rotate and >> just >> place the file in right folder >> based on year and day >> >> Why not explain a bit more about what you are trying to do and let's see >>> if >>> we can easily do it with one copy of rsyslog instead of 25 (or more) >>> >>> David Lang >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> >> >> >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
