On Mar 9, 2016, at 4:21 PM, Jon Bogaty <[email protected]> wrote: > > So for some reason I'm completely stumped on what I feel like should be > fairly simple. I grok rulesets for local files but am having trouble > wrapping my head around forwarding anything more restricted than all the > logs from a rsyslog gateway between a third party vendor and our internal > log clients. > > The gateway should be forwarding the logs forwarded to it only. If there is > a way to include in the scope using multirulesets the rsyslog process log > in addition to the forwards that's be awesome so that there is some kind of > monitoring for the gateway but again, meshing rules for local files and > remote sources is confusing. > > Anybody who can help?
One way to go would be to attach a ruleset to an interface. So if you receive UDP and/or TCP and want to forward those logs, only the forwarding action needs to be in that ruleset. This can be specific to IP address as well. Logs received locally via syslog() (or perhaps via localhost at 127.0.0.1; I've seen this before) could have a different ruleset that does not have a forwarding action. I'm pretty sure you also can have multiple inputs feeding the same ruleset. Another way to do would be to use some kind of filtering logic to identify the logs you want to forward (perhaps they all come from a single remote host), and call a separate ruleset for just that case (which would exempt them from the 'default' case.) Sorry I don't have time to provide more details at the moment, but if this doesn't help point you in the right direction I can try to provide an example later on. - Dave Caplinger _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

