I have a single rsyslog server for 3 division @my office.
The Server opens UDP port 514 for division A(block network 10.10.1.1/16),
UDP/TCP port 601 for B(block network 10.20.1.1/16), and TCP port 12514 for
division C(block network 10.30.1.1/16).
I want to give separation folder so each division will only see their
correlated syslog from their box. So i created 3 file rulesets on
rsyslog.d/
A.Division file:///etc/rsyslog.d/01-ARuleSet.conf
ruleset(name="ARuleSet") {
$template PerHostAuth,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/auth.log"
$template PerHostMail,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/mail.log"
$template PerHostMailErr,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/mailerr.log"
$template PerHostSyslog,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/syslog"
$template PerHostRsyslog,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/rsyslog.log"
$template PerHostKern,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/kern.log"
*.info;\
auth,authpriv,\
kern,syslog,\
mail,local0,\
news.none -?PerHostSyslog
auth,authpriv.* ?PerHostAuth
mail.!err -?PerHostMail
mail.err -?PerHostMailErr
kern.* ?PerHostKern
syslog.* ?PerHostRsyslog
& stop
}
input(type="imudp" port="514" ruleset="ARuleSet")
B.Division file:///etc/rsyslog.d/02-BRuleSet.conf
ruleset(name="BRuleSet") {
$template PerHostButh,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/auth.log"
$template PerHostMail,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/mail.log"
$template PerHostMailErr,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/mailerr.log"
$template PerHostSyslog,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/syslog"
$template PerHostRsyslog,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/rsyslog.log"
$template PerHostKern,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/kern.log"
*.info;\
auth,authpriv,\
kern,syslog,\
mail,local0,\
news.none -?PerHostSyslog
auth,authpriv.* ?PerHostAuth
mail.!err -?PerHostMail
mail.err -?PerHostMailErr
kern.* ?PerHostKern
syslog.* ?PerHostRsyslog
& stop
}
input(type="imudp" port="601" ruleset="BRuleSet")
input(type="imtcp" port="601" ruleset="BRuleSet")
C.Division file:///etc/rsyslog.d/03-CRuleSet.conf
ruleset(name="CRuleSet") {
$template PerHostAuth,
"/logs/CRuleSet/%fromhost-ip%-%hostname%/auth.log"
$template PerHostSyslog,
"/logs/CRuleSet/%fromhost-ip%-%hostname%/syslog"
auth,authpriv.* ?PerHostAuth
*.*;auth,\
authpriv.none -?PerHostSyslog
& stop
}
input(type="imrelp" port="12514" ruleset="CRuleSet")
Someone on the irc channel try to give clue with filter condition using
properties $fromhost-ip startswith '10.10.1.' then log to 01-ARuleSet but
at the final filter
result all logging will go to folder /logs/ARuleSet not B or even C
Ruleset.
Someone also suggest me to save syslog of each box/server to single file
rather than separate file on each folder. If that possible, I still want
aggregate on single folder with all detail log, but each division will only
open the folders correlated.
Any clue or direction or even best practice of this configuration would be
appreciated, thanks
*Best regards,*
*chika.tambun*
*"Winning loves preparation"*
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
