On Wed, Feb 4, 2015 at 11:12 AM, Asif Iqbal <[email protected]> wrote:
> > > On Wed, Feb 4, 2015 at 11:06 AM, David Lang <[email protected]> wrote: > >> On Wed, 4 Feb 2015, Asif Iqbal wrote: >> >> >>>>>> I am receiving logs from around 200 network elements. >>>>> >>>>> How do I start a second rsyslogd? Is it some parameter in config file >>>>> where >>>>> I can define a second IP to bind to like in syslog-ng? >>>>> >>>>> >>>> in the input() statement you can specify the IP address, on the command >>>> line you will need to specify a unique config file and pid file for each >>>> copy. There are other things that can trip you up as well (depending on >>>> what other features you use) >>>> >>>> >>> I am not seeing any input() statement in rsyslog.conf. Are you referring >>> to >>> imudp may be? Not sure where >>> in imudp do I put the IP. Yes I know I will need to make sure there will >>> be >>> separate config file and pid file. >>> >>> I am doing that for other processes like sshd, tac_plus and others. >>> >> >> rsyslog v5.8 is ancient and has not been supported by the community for >> several years. You should upgrade to a currently supported version if you >> are going to be asking for help doing complex and unusual things. >> > > I agree. I am surprised why centos 6 latest still come with such a old > rsyslog. > > > >> >> Read through the documentation on your system for the imudp and imtcp >> modules. the documentation that you find online is going to mostly cover >> the more current versions, which include a better config format for >> expressing comples things. >> >> > Sure. Thanks for your help > > Got it! http://www.rsyslog.com/doc/v5-stable/configuration/modules/imudp.html So I just have to use something like below, since I am using older rsyslog $ModLoad imudp $UDPServerAddress 192.168.1.100 Thanks a lot! > >> but with 200 things sending you logs, you will end up having to run 25 >>>> copies of rsyslog (assuming that you give each of them a unique local# >>>> id). >>>> why not just filter on the hostname or IP address instead? >>>> >>>> >>>> No I will need 16 different local filters. So I will be running only >>> two >>> instances of rsyslogd >>> >> >> by the way, you need to recognize that there's nothing magic about the >> local* facilities. You can have your applications use any facility that you >> want. As long as you don't have something else useing it and are willing to >> put up with the confusion in names (which should be less than having local0 >> mean two things) >> >> > I am absolutely aware of that. We have been using syslog for 13 yrs and we > have a fixed local > facility for specific network elements. Like we always use local7 for > cisco. But now we have more > than 8 type of vendors and to accomodate we need multiples of 8 by adding > second instance of > syslog daemon > > >> For example, I really doubt that you have lpr, news, uucp, or clock >> facilities in use on your systems. >> >> > You are absolutely right. However, we have those reserved for system logs > and using locals for > network element syslogs. Just how we have it now, does not mean we are not > recognizing your > hints. > > I will be going through the imudp to find out how to bind to a fixed > IP/port for a syslog daemon. > > Thanks a lot! > > > >> David Lang >> >> >> >>> you can even use that hostname/ip address in a filename template and >>>> with >>>> two lines in one copy of rsyslog have each network device be output into >>>> it's own file. >>>> >>>> >>>> I am aware of that and using template as well to avoid log rotate and >>> just >>> place the file in right folder >>> based on year and day >>> >>> Why not explain a bit more about what you are trying to do and let's >>>> see if >>>> we can easily do it with one copy of rsyslog instead of 25 (or more) >>>> >>>> David Lang >>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>>> >>> >>> >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
