Re: [rsyslog] [Conf] Rsyslog Filter on specific Directory folder

[David Lang]

well, you say that anything that arrives via TCP or DCP should be processed by 
Bruleset, and everything that arrives via RELP shoudl be processed by the 
Cruleset, so if all your messages are arrivign via RELP, it's doing exactly what 
you told it to do.

where do you think you have some tests that check the fromhost-ip and call 
different rulesets?

I also think you are confusing yourself by making different files. Rsyslog 
doesn't care what's in what file, it combines them all before evaluating 
anything.

So start off by combining everything into one file, move all the input() 
statements above any rulset definitions, and I think the problem with your 
current logic (or lack of logic) is going to be obvious.

somewhere you need to have some if statements to decide what to do with the log 
line and then call the particular ruleset to output it.

David Lang


 On Mon, 19 Oct 2015, chika tambun wrote:

Date: Mon, 19 Oct 2015 10:46:35 +0700
From: chika tambun <chika.tam...@gmail.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Subject: [rsyslog] [Conf] Rsyslog Filter on specific Directory folder

I have a single rsyslog server for 3 division @my office.

The Server opens UDP port 514 for division A(block network 10.10.1.1/16),
UDP/TCP port 601 for B(block network 10.20.1.1/16), and TCP port 12514 for
division C(block network 10.30.1.1/16).

I want to give separation folder so each division will only see their
correlated syslog from their box. So i created 3 file rulesets on
rsyslog.d/

A.Division file:///etc/rsyslog.d/01-ARuleSet.conf

       ruleset(name="ARuleSet") {
             $template PerHostAuth,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/auth.log"
             $template PerHostMail,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/mail.log"
             $template PerHostMailErr,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/mailerr.log"
             $template PerHostSyslog,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/syslog"
             $template PerHostRsyslog,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/rsyslog.log"
             $template PerHostKern,
"/logs/ARuleSet/%fromhost-ip%-%hostname%/kern.log"


             *.info;\
             auth,authpriv,\
             kern,syslog,\
             mail,local0,\
             news.none               -?PerHostSyslog
             auth,authpriv.*         ?PerHostAuth
             mail.!err               -?PerHostMail
             mail.err                -?PerHostMailErr
             kern.*                  ?PerHostKern
             syslog.*                ?PerHostRsyslog
           & stop

       }

       input(type="imudp" port="514" ruleset="ARuleSet")

B.Division file:///etc/rsyslog.d/02-BRuleSet.conf

       ruleset(name="BRuleSet") {
             $template PerHostButh,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/auth.log"
             $template PerHostMail,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/mail.log"
             $template PerHostMailErr,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/mailerr.log"
             $template PerHostSyslog,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/syslog"
             $template PerHostRsyslog,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/rsyslog.log"
             $template PerHostKern,
"/logs/BRuleSet/%fromhost-ip%-%hostname%/kern.log"

             *.info;\
             auth,authpriv,\
             kern,syslog,\
             mail,local0,\
             news.none               -?PerHostSyslog
             auth,authpriv.*         ?PerHostAuth
             mail.!err               -?PerHostMail
             mail.err                -?PerHostMailErr
             kern.*                  ?PerHostKern
             syslog.*                ?PerHostRsyslog
           & stop

       }

       input(type="imudp" port="601" ruleset="BRuleSet")
       input(type="imtcp" port="601" ruleset="BRuleSet")

C.Division file:///etc/rsyslog.d/03-CRuleSet.conf

       ruleset(name="CRuleSet") {
             $template PerHostAuth,
"/logs/CRuleSet/%fromhost-ip%-%hostname%/auth.log"
             $template PerHostSyslog,
"/logs/CRuleSet/%fromhost-ip%-%hostname%/syslog"

               auth,authpriv.*         ?PerHostAuth
               *.*;auth,\
               authpriv.none           -?PerHostSyslog
               & stop

       }

         input(type="imrelp" port="12514" ruleset="CRuleSet")

Someone on the irc channel try to give clue with filter condition using
properties $fromhost-ip startswith '10.10.1.' then log to 01-ARuleSet but
at the final filter
result all logging will go to folder /logs/ARuleSet not B or even C
Ruleset.

Someone also suggest me to save syslog of each box/server to single file
rather than separate file on each folder. If that possible, I still want
aggregate on single folder with all detail log, but each division will only
open the folders correlated.
Any clue or direction or even best practice of this configuration would be
appreciated, thanks


*Best regards,*
*chika.tambun*

*"Winning loves preparation"*
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.