We need the spoofing because rsyslog adds a timestamp and an IP (127.0.0.1) to the beginning of each message forwarded and it messes up the legacy parsing.
Does @@remotesystem perform compression and will it spool messages by default in case the link goes down? RB -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Lang Sent: Wednesday, September 30, 2015 6:14 PM To: rsyslog-users <[email protected]> Subject: Re: [rsyslog] Complex forwarding and spoofing question On Thu, 1 Oct 2015, Randy Baca wrote: > I have a complex issue to resolve and I would like to use rsyslog for it. > Hopefully someone has done this. > > > > Currently we have a number of remote sites and each site has a single syslog > server collecting events from multiple hosts. We need to keep the flow going > to the legacy syslog servers and also forward all events to a central server > at one of the sites. The legacy syslog servers need to stay running until > several other projects get completed; maybe a year. > > > > This is what we want to do. We have pieces of it working but can't get > everything at once. > > * Set up rsyslog on the same server that is running the legacy service. > * Change the legacy service to run on udp/515. > * Configure rsyslog to receive on existing ports udp/tcp 514. We are > essentially injecting it between the sending hosts and the legacy service. > * Configure rsyslog to forward and spoof (omudpspoof) to 127.0.0.1 on > udp/515. We need the exact original message because of all the custom > parsers written over the years. > * Add another action to forward all messages to the central location. > Some sites are not high bandwidth, so we will need compression, TCP for > reliability, and spooling in case the link goes down or one of the endpoints > reboots. > * The server at the central location will itself then forward to multiple > services locally. > > Is this do-able? Can someone get me started with an example config? it's doable, but you shouldn't need to do the spoofing. Spoofing is only needed if the receiving system ignores the text of the log message and instead uses the IP address in the packet. It's as simple as two outputs @localhost:515 @remotesystem or @@remotesystem if you want to use TCP forwarding David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
