Agreed 100%. An upgrade is likely in the works in the future; however, for today I needed to see if there was a way to do what we needed. I was glad that we could solve the immediate need.
Thanks, R. Singh Sr. Systems Administrator Middleware/PTC Support 904-633-5745 RC Offering: SC07507098 H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 "Give instruction to a wise man, and he will be yet wiser : teach a just man, and he will increase in learning." - Proverbs 9:9 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Lang Sent: Wednesday, May 04, 2016 4:04 PM To: rsyslog-users Subject: Re: [rsyslog] Remote messages getting into local logs rulesets were there in late 5.x, but their use was _very_ messy and hard to understand (there is a reason the new config syntax was introduced in 6.x) you would have to do the if..then..else syntax otherwise. You really should upgrade your central server to a current version, even if you don't upgrade anything else. I'm also pretty sure that RedHat introduced 7.x as an option late in the RHEL5 timeframe. There are just a huge number of fixes, performance improvements, and new features available in current versions. Sticking with 5.x is going to have you continually run into problems where the answers that we give are not going to work. David Lang On Wed, 4 May 2016, Singh, Radesh wrote: > Date: Wed, 4 May 2016 19:42:46 +0000 > From: "Singh, Radesh" <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] Remote messages getting into local logs > > Bummer... so can I do what we want to do without upgrading? > > R. Singh > Sr. Systems Administrator > Middleware/PTC Support > 904-633-5745 > > RC Offering: SC07507098 > > > H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 > > "Give instruction to a wise man, and he will be yet wiser : teach a > just man, and he will increase in learning." - Proverbs 9:9 > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of David Lang > Sent: Wednesday, May 04, 2016 3:37 PM > To: rsyslog-users > Subject: Re: [rsyslog] Remote messages getting into local logs > > Yes, you need to be using at least 7.x (current is 8.18) > > David Lang > > On Wed, 4 May 2016, Singh, Radesh wrote: > >> Date: Wed, 4 May 2016 19:32:18 +0000 >> From: "Singh, Radesh" <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] Remote messages getting into local logs >> >> Rsyslog doesn't like my syntax: >> >> [root at PTC_UAT_LOGHOST rsyslog.d]$ rsyslogd -N2 >> rsyslogd: version 5.8.10, config validation run (level 2), master >> config /etc/rsyslog.conf >> rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically >> generated config directives may interfer with your rsyslog.conf settings. We >> suggest upgrading your config and adding -c5 as the first rsyslogd option. >> rsyslogd: unknown priority name "" [try >> http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmKi >> 3 >> xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_k >> 5 >> vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhRR >> - >> FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25feI >> w >> be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1Y >> 6 >> Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http% >> 3 >> A%2F%2Fhttp://secure-web.cisco.com/1ul8T2f-pBCZvsnzERC1rffnv8-2oe_b8Y >> xnIJpAcwr8ti_8ic74cLuPEVAHheDnv9dI0uhcER9WWhFsQPV7mGOenpAG_WmRQ9d4GKj >> BbdcucEBuhjyTt31FpzOBg1aY8KlU2wQ8B95CuTbAzuJKLTUfjF_Ig3rj7MMeQZCLnc36 >> cMYGikNExd2JU4eGGl4ZDVbQTwViIzter19jlYh4oNRMzK0G0uPJKwsXoqtP5DVkFtDEC >> LxjywzjvcUmo1LJ4InRqQ9kYOgzKlVm1ms-Ssk4F8B6YyEoYPdO5k1IyDaUmm-oFoUwuU >> 6AZdBywKDg3VOsSD29XkmJoCdBLYhLrfnSutwELNk6xf-Ygadv_l4qrqPSG_wejMUwSBq >> RksGoi/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] >> rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line >> 10:"input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" >> port="514" ruleset="inbound")" >> rsyslogd: warning: selector line without actions will be discarded >> rsyslogd: unknown priority name "type="FixedArray"){" [try >> http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmKi >> 3 >> xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_k >> 5 >> vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhRR >> - >> FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25feI >> w >> be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1Y >> 6 >> Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http% >> 3 >> A%2F%2Fhttp://secure-web.cisco.com/1ul8T2f-pBCZvsnzERC1rffnv8-2oe_b8Y >> xnIJpAcwr8ti_8ic74cLuPEVAHheDnv9dI0uhcER9WWhFsQPV7mGOenpAG_WmRQ9d4GKj >> BbdcucEBuhjyTt31FpzOBg1aY8KlU2wQ8B95CuTbAzuJKLTUfjF_Ig3rj7MMeQZCLnc36 >> cMYGikNExd2JU4eGGl4ZDVbQTwViIzter19jlYh4oNRMzK0G0uPJKwsXoqtP5DVkFtDEC >> LxjywzjvcUmo1LJ4InRqQ9kYOgzKlVm1ms-Ssk4F8B6YyEoYPdO5k1IyDaUmm-oFoUwuU >> 6AZdBywKDg3VOsSD29XkmJoCdBLYhLrfnSutwELNk6xf-Ygadv_l4qrqPSG_wejMUwSBq >> RksGoi/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] >> rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line >> 12:"ruleset(name="inbound" queue.type="FixedArray"){" >> rsyslogd: warning: selector line without actions will be discarded >> rsyslogd: unknown priority name "" [try >> http://secure-web.cisco.com/1-flZtEcVu13PuDqJJOFpJ5Ic783Ttc-rN9lsBmKi >> 3 >> xMXWYiv8CH3X7-ddpLEYfTw_0v4qOEZKdQCpvLErHBBxAdwZk3MKuSh1MRK3_0v8m96_k >> 5 >> vZ2IKFM23TaGrpF7Ei6rJK3EO5_YSjY8DknVbOJBGhjwKd3A00PtNo_ZgPBohbercjhRR >> - >> FBWB8oowNEG8E59t_dc0cIpaVw45MnT9is9t99C9KeGlHonfsgBHd0FMeSmxxyEL25feI >> w >> be8Q03oTPzgoR4DiUf2Pw2utBM-MLRUmQzGC90PhI6SmpayZveLWWDkYAXfn-Oo8pcI1Y >> 6 >> Yy306TJgqpX15Yvrd_-mVMoJaHfHlmAn45tAwBR3Wt0f6iL7gFvTaT0N02VMo1K/http% >> 3 >> A%2F%2Fhttp://secure-web.cisco.com/1ul8T2f-pBCZvsnzERC1rffnv8-2oe_b8Y >> xnIJpAcwr8ti_8ic74cLuPEVAHheDnv9dI0uhcER9WWhFsQPV7mGOenpAG_WmRQ9d4GKj >> BbdcucEBuhjyTt31FpzOBg1aY8KlU2wQ8B95CuTbAzuJKLTUfjF_Ig3rj7MMeQZCLnc36 >> cMYGikNExd2JU4eGGl4ZDVbQTwViIzter19jlYh4oNRMzK0G0uPJKwsXoqtP5DVkFtDEC >> LxjywzjvcUmo1LJ4InRqQ9kYOgzKlVm1ms-Ssk4F8B6YyEoYPdO5k1IyDaUmm-oFoUwuU >> 6AZdBywKDg3VOsSD29XkmJoCdBLYhLrfnSutwELNk6xf-Ygadv_l4qrqPSG_wejMUwSBq >> RksGoi/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F3000 ] >> rsyslogd: the last error occured in /etc/rsyslog.d/remotes.conf, line 21:"}" >> rsyslogd: warning: selector line without actions will be discarded >> rsyslogd: the last error occured in /etc/rsyslog.conf, line >> 35:"$IncludeConfig /etc/rsyslog.d/*.conf" >> rsyslogd: CONFIG ERROR: could not interpret master config file >> '/etc/rsyslog.conf'. [try >> http://secure-web.cisco.com/1ya_3awlRyHJY4pJ5xBdaeSbabU9qq7ruMBPltDdo >> b >> SsjyLK54oipjv28RxNybQ3emKl-zj2JI6XtLziIny1mNnXLMbGRJZIqAbeqLXHc2FIMrD >> T >> 10luKHUvdFvku1UgbkN0Hf2bMHGyNxTltCoV11fYMeAfZZvDseCcZHgdFeb-CxvcwRfBn >> 4 >> kzJjQbBrFiE4Yrrlksw4AYSCWsS3z8faLUJC2_BXSjvahTN6YzdVsva0RIQxEYHwyk6tV >> Y >> aq1NVifFmm0A5HxY1hwPpB7drYvjifI8vC_J8gDSzKhzfjswzov514INMzAoE9mUnUPTJ >> U >> -A_gZ61LKqLS--TSIbY4JklHqrskGNSnKLFzr01cx3JTk1GE9T0vyvMZ6Rbt0iX/http% >> 3 >> A%2F%2Fhttp://secure-web.cisco.com/1ul8T2f-pBCZvsnzERC1rffnv8-2oe_b8Y >> xnIJpAcwr8ti_8ic74cLuPEVAHheDnv9dI0uhcER9WWhFsQPV7mGOenpAG_WmRQ9d4GKj >> BbdcucEBuhjyTt31FpzOBg1aY8KlU2wQ8B95CuTbAzuJKLTUfjF_Ig3rj7MMeQZCLnc36 >> cMYGikNExd2JU4eGGl4ZDVbQTwViIzter19jlYh4oNRMzK0G0uPJKwsXoqtP5DVkFtDEC >> LxjywzjvcUmo1LJ4InRqQ9kYOgzKlVm1ms-Ssk4F8B6YyEoYPdO5k1IyDaUmm-oFoUwuU >> 6AZdBywKDg3VOsSD29XkmJoCdBLYhLrfnSutwELNk6xf-Ygadv_l4qrqPSG_wejMUwSBq >> RksGoi/http%3A%2F%2Fwww.rsyslog.com%2Fe%2F2124 ] >> rsyslogd: Warning: backward compatibility layer added to following >> directive to rsyslog.conf: ModLoad immark >> rsyslogd: Warning: backward compatibility layer added to following >> directive to rsyslog.conf: MarkMessagePeriod 1200 >> rsyslogd: Warning: backward compatibility layer added to following >> directive to rsyslog.conf: ModLoad imuxsock >> >> $template >> remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" >> $template >> remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" >> $template >> remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" >> $template >> remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" >> $template >> remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log" >> $template >> remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" >> $template >> remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" >> $template >> remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" >> >> input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" >> port="514" ruleset="inbound") >> >> ruleset(name="inbound" queue.type="FixedArray"){ >> user.*;daemon.*;syslog.* ?remote-messages >> kern.* ?remote-kernel >> *.emerg ?remote-emerg >> authpriv.* ?remote-secure >> mail.* -?remote-maillog >> cron.* ?remote-cron >> uucp,news.crit ?remote-spooler >> local7.* ?remote-bootlog >> } >> >> I'm betting this is b/c I'm using using 5.8.10. >> >> Going to try some syntax I see here: >> >> http://secure-web.cisco.com/100Kd-K2EYkolEJwOYRrKISwA9ClF699uhqvzh9I_ >> i >> qJsuH6lQ5ALgzXFJBBPtNS8NT8Jlr91S0ctW7vJegQjTnPY0mrJOOcT4FY7kFpM5XWd3P >> 2 >> oM1NuRoP7KRe5TvQL7K5D1bYOqd8V68Ki28e11GQGpEhtWmpcvNrgPWBCETJw1n4FK_6U >> x >> c2nDb7ZK6IR-BnI_5YsOuZ9y7WOlI2WlTSBsWd3GTri1cjX40S_3LC64eVWcCIw4uzTk9 >> q >> Yu3IvuyFH57YnSFdK20QMZTGVSWfDpm3dMYR-NAd0k1oudQUHHnw9Ruoj5B19goW9WsQq >> F >> htmCyOD3Wm3ffHOIL6RwRFpI3Oib0QRTHcC0Sap8DTT-9AKEnLLtxYqha62oYKC/http% >> 3 >> A%2F%2Fhttp://secure-web.cisco.com/1ul8T2f-pBCZvsnzERC1rffnv8-2oe_b8Y >> xnIJpAcwr8ti_8ic74cLuPEVAHheDnv9dI0uhcER9WWhFsQPV7mGOenpAG_WmRQ9d4GKj >> BbdcucEBuhjyTt31FpzOBg1aY8KlU2wQ8B95CuTbAzuJKLTUfjF_Ig3rj7MMeQZCLnc36 >> cMYGikNExd2JU4eGGl4ZDVbQTwViIzter19jlYh4oNRMzK0G0uPJKwsXoqtP5DVkFtDEC >> LxjywzjvcUmo1LJ4InRqQ9kYOgzKlVm1ms-Ssk4F8B6YyEoYPdO5k1IyDaUmm-oFoUwuU >> 6AZdBywKDg3VOsSD29XkmJoCdBLYhLrfnSutwELNk6xf-Ygadv_l4qrqPSG_wejMUwSBq >> RksGoi/http%3A%2F%2Fwww.rsyslog.com%2Fdoc%2Fv5-stable%2Fconcepts%2Fmu >> lti_ruleset.ht >> ml >> >> R. Singh >> Sr. Systems Administrator >> Middleware/PTC Support >> 904-633-5745 >> >> RC Offering: SC07507098 >> >> >> H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 >> >> "Give instruction to a wise man, and he will be yet wiser : teach a >> just man, and he will increase in learning." - Proverbs 9:9 >> >> >> -----Original Message----- >> From: Singh, Radesh >> Sent: Wednesday, May 04, 2016 3:15 PM >> To: 'rsyslog-users' >> Subject: RE: [rsyslog] Remote messages getting into local logs >> >> David, >> >> So, this is the config I've got in mind: >> >> # rsyslog.conf >> $ModLoad imuxsock # provides support for local system logging (e.g. via >> logger command) >> $ModLoad imklog # provides kernel logging support (previously done by >> rklogd) >> $ModLoad imudp >> $UDPServerRun 514 >> $ModLoad imtcp >> $InputTCPServerRun 514 >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> $IncludeConfig /etc/rsyslog.d/*.conf >> user.*;daemon.*;syslog.* /var/log/messages >> kern.* /var/log/kernel >> *.emerg /var/log/emerg >> authpriv.* /var/log/secure >> mail.* /var/log/maillog >> cron.* /var/log/cron >> uucp,news.crit /var/log/spool >> local7.* /var/log/bootlog >> >> # rsyslog.d/remote.conf >> $template >> remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" >> $template >> remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" >> $template >> remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" >> $template >> remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" >> $template >> remote-maillog,"/var/remote/log/%HOSTNAME%/%$NOW%/maillog-%HOSTNAME%-%$NOW%.log" >> $template >> remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" >> $template >> remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" >> $template >> remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" >> >> input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" >> port="514" ruleset="inbound") >> >> ruleset(name="inbound" queue.type="FixedArray"){ >> user.*;daemon.*;syslog.* ?remote-messages >> kern.* ?remote-kernel >> *.emerg ?remote-emerg >> authpriv.* ?remote-secure >> mail.* -?remote-maillog >> cron.* ?remote-cron >> uucp,news.crit ?remote-spooler >> local7.* ?remote-bootlog >> } >> >> Am I still over thinking it? >> >> R. Singh >> Sr. Systems Administrator >> Middleware/PTC Support >> 904-633-5745 >> >> RC Offering: SC07507098 >> >> >> H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 >> >> "Give instruction to a wise man, and he will be yet wiser : teach a >> just man, and he will increase in learning." - Proverbs 9:9 >> >> >> -----Original Message----- >> From: Singh, Radesh >> Sent: Wednesday, May 04, 2016 2:40 PM >> To: [email protected] >> Subject: RE: [rsyslog] Remote messages getting into local logs >> >> David, >> >> Thank you for clarifying all of that. >> >> Based on what we are trying to do, I think we'd want to go the route of >> using a ruleset. >> >> So, using something like: >> input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp" >> port="514" ruleset="inbound") >> >> ruleset(name="inbound" queue.type="FixedArray"){ >> actions >> } >> >> I'm translating that to: >> >> $template >> remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" >> $template >> remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" >> $template >> remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" >> $template >> remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" >> $template >> remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" >> $template >> remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" >> $template >> remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" >> >> input(type="imtcp" port="514" ruleset="inbound") input(type="imudp" >> port="514" ruleset="inbound") >> >> ruleset(name="inbound" queue.type="FixedArray"){ >> user.*;daemon.*;syslog.* ?remote-messages >> kern.* ?remote-kernel >> *.emerg ?remote-emerg >> authpriv.* ?remote-secure >> mail.* -?remote-maillog >> cron.* ?remote-cron >> uucp,news.crit ?remote-spooler >> local7.* ?remote-bootlog >> } >> >> That should result in me capturing all messages that come in over TCP or >> UDP, and separate them out. >> >> What tells rsyslog to log local (those not coming in via TCP or UDP) >> messages to /var/log/...? >> >> Thanks, >> >> R. Singh >> Sr. Systems Administrator >> Middleware/PTC Support >> 904-633-5745 >> >> RC Offering: SC07507098 >> >> >> H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 >> >> "Give instruction to a wise man, and he will be yet wiser : teach a >> just man, and he will increase in learning." - Proverbs 9:9 >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of David Lang >> Sent: Wednesday, May 04, 2016 1:06 PM >> To: [email protected] >> Subject: Re: [rsyslog] Remote messages getting into local logs >> >> I'll bet that if you do rsyslogd -N2 it will report a lot of errors >> in the config >> >> you are mising filter types (and in any case, working harder than you >> need to) >> >> there are three classes of filters >> >> traditional pri filters >> >> user.* action >> >> old rsyslog filters >> >> :var, test, value action >> >> rainerscript filters >> >> if test then action >> >> you are trying to use the old rsyslog filters in rainerscript syntax, >> that doesn't work >> >> if $hostname == $$myhostname then { >> actions >> } else { >> actions >> } >> >> would be what you are trying to do. >> >> But if you really want to separate the traffic that arrives from >> remote systems completely from the traffic that is produced locally, >> the best way to do that is with a ruleset >> >> input(type="imtcp" port="514" ruleset="inbound" ) input(type="imudp" >> port="514" ruleset="inbound") >> >> ruleset(name="inbound" queue.type="FixedArray"){ >> actions >> } >> >> will effectivly split rsyslog into two complete stacks, one that >> processes locally generated messages with all the rules not defined >> in the inbound ruleset (and using the main queue), and a second that >> processes all messages that arrive via tcp or udp using the rules in >> the inbound ruleset (and using a separate queue) >> >> David Lang >> >> On Wed, 4 May 2016 16:38:34 +0000, Singh, Radesh wrote: >>> Hello, >>> >>> Perhaps I'm overthinking this, but as I've confused myself pretty >>> good, I'm reaching out to you guys. >>> >>> We noticed that our remote clients messages are flooding several of >>> our local log files (messages,kernel,bootlog) on our central rsyslog >>> server. >>> >>> We've been try to craft some rules to tell the rsyslog server that >>> the hostname is not your hostname, use a specific block to separate >>> the messages into their appropriate files, else, do the same type of >>> separation, but store the messages locally... >>> >>> I tried... >>> >>> $template >>> >>> remote-messages,"/var/remote/log/%HOSTNAME%/%$NOW%/messages-%HOSTNAME%-%$NOW%.log" >>> $template >>> >>> remote-kernel,"/var/remote/log/%HOSTNAME%/%$NOW%/kernel-%HOSTNAME%-%$NOW%.log" >>> $template >>> >>> remote-emerg,"/var/remote/log/%HOSTNAME%/%$NOW%/emerg-%HOSTNAME%-%$NOW%.log" >>> $template >>> >>> remote-secure,"/var/remote/log/%HOSTNAME%/%$NOW%/secure-%HOSTNAME%-%$NOW%.log" >>> $template >>> >>> remote-cron,"/var/remote/log/%HOSTNAME%/%$NOW%/cron-%HOSTNAME%-%$NOW%.log" >>> $template >>> >>> remote-spooler,"/var/remote/log/%HOSTNAME%/%$NOW%/spooler-%HOSTNAME%-%$NOW%.log" >>> $template >>> >>> remote-bootlog,"/var/remote/log/%HOSTNAME%/%$NOW%/bootlog-%HOSTNAME%-%$NOW%.log" >>> >>> $template local-messages,"/var/log/messages" >>> $template local-kernel,"/var/log/kernel" >>> $template local-emerg,"/var/log/emerg" >>> $template local-secure,"/var/log/secure" >>> $template local-maillog,"/var/log/maillog" >>> $template local-cron,"/var/log/cron" >>> $template local-spooler,"/var/log/spooler" >>> $template local-bootlog,"/var/log/bootlog" >>> >>> if :hostname,!isequal,$myhostname then { >>> user.*;daemon.*;syslog.* ?remote-messages >>> kern.* ?remote-kernel >>> *.emerg ?remote-emerg >>> authpriv.* ?remote-secure >>> mail.* -?remote-maillog >>> cron.* ?remote-cron >>> uucp,news.crit ?remote-spooler >>> local7.* ?remote-bootlog >>> } >>> else if :hostname,isequal,$myhostname then { >>> user.*;daemon.*;syslog.* ?local-messages >>> kern.* ?local-kernel >>> *.emerg ?local-emerg >>> authpriv.* ?local-secure >>> mail.* -?local-maillog >>> cron.* ?local-cron >>> uucp,news.crit ?local-spooler >>> local7.* ?local-bootlog >>> } >>> >>> But messages from remote hosts get written to /var/log/messages, >>> even though I thought I was telling rsyslog to filter on hostname, >>> and if the hostname is not my hostname use one of my ?remote definitions. >>> I tried using & ~ after my first line, but I find that if I do that >>> ... nothing gets written to the local messages file. >>> I'm doing this on RHEL 6.2, and rsyslog version is 5.8.10. >>> >>> Thank you, >>> >>> R. Singh >>> Sr. Systems Administrator >>> Middleware/PTC Support >>> 904-633-5745 >>> >>> RC Offering: SC07507098 >>> >>> [chessie] >>> |-| () \/\/ ~|~ () |\/| () /? /? () \/\/ |\/| () \/ [- _\~ >>> >>> >>> >>> >>> This email transmission and any accompanying attachments may contain >>> CSX privileged and confidential information intended only for the >>> use of the intended addressee. Any dissemination, distribution, >>> copying or action taken in reliance on the contents of this email by >>> anyone other than the intended recipient is strictly prohibited. If >>> you have received this email in error please immediately delete it >>> and notify sender at the above CSX email address. Sender and CSX >>> accept no liability for any damage caused directly or indirectly by >>> receipt of this email. >> >> _______________________________________________ >> rsyslog mailing list >> BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED >> http://secure-web.cisco.com/1xGGnjSh9RR0y9rgx38zhuymGGNvuKuRCAR_z7i9J >> 4 >> Yn4zD1vrveKaihdGx3JedcKCvkNFBxiQQjmCOd0j1txaq0XXfVbdukHhfiSCcWgPOP25b >> y >> T1N_28l_4ON11xwTa2os6nW2bRAbUYXssRPv3wvQnrvm8ZzCXtOHwGONSA3SCjiMSNi08 >> M >> M6TaKzaOkD03_s7wi9z7XCSLiEBsRnnCqwRSU2U2EJwHK9Y45_VeoyaLJ8gYj2bCZYXes >> 3 >> riOxEZtfn4nwdnJ3x1ksA5LhDiPYPqvwksTkgOXeGl-RsALio_xvt06uQ1x-Qs1VKm6Hu >> R >> R-wPUlI6tPrvOprmD2kB8IcTPvtPxBkfjtVU5BpEZVIgCJmZSTxU2CCM44nyhVa/http% >> 3 >> A%2F%2Fhttp://secure-web.cisco.com/1ul8T2f-pBCZvsnzERC1rffnv8-2oe_b8Y >> xnIJpAcwr8ti_8ic74cLuPEVAHheDnv9dI0uhcER9WWhFsQPV7mGOenpAG_WmRQ9d4GKj >> BbdcucEBuhjyTt31FpzOBg1aY8KlU2wQ8B95CuTbAzuJKLTUfjF_Ig3rj7MMeQZCLnc36 >> cMYGikNExd2JU4eGGl4ZDVbQTwViIzter19jlYh4oNRMzK0G0uPJKwsXoqtP5DVkFtDEC >> LxjywzjvcUmo1LJ4InRqQ9kYOgzKlVm1ms-Ssk4F8B6YyEoYPdO5k1IyDaUmm-oFoUwuU >> 6AZdBywKDg3VOsSD29XkmJoCdBLYhLrfnSutwELNk6xf-Ygadv_l4qrqPSG_wejMUwSBq >> RksGoi/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F >> What's up with rsyslog? Follow >> https://secure-web.cisco.com/1np2M_O7l4WbuSPzutBL7wHs1T4AvXY5sEAi6R9j >> F >> Ad6xpP66MUvIDoL0kz8Ve9JiKraHbyNUChDGTNv4qEvQcUG__9hAYAhKR4E7GDpM7wUS9 >> 9 >> eOBMAmpT0YQBJJZ44RAmUnlV8l-ReDvo5lBRbln2K5LdY7r8SRhRWxukHXXBpb6QWRw33 >> l >> tg4-0dFF4WarzNF0TNyG2pbowTpBDBRxUksgFg8Lsc_RMfr5SOW4BoGup_lZ-eLAZ53p3 >> c >> H3LfhD_ziZoSyK89jd0Q7d_ny6io7hXw3xTTVKazGM8-ONaWmTt_sBkl5zVxGHpN50EVi >> W >> 9719-Se7Kxyx4OohnoDRd-aGEzfx6novzYQqXjR_L8OSY4mtnLsxciyfHoPOmjkMKz5PZ >> F 1Pv7jlvGXdl0E5Eg/https%3A%2F%2Ftwitter.com%2Frgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> >> >> >> >> This email transmission and any accompanying attachments may contain CSX >> privileged and confidential information intended only for the use of the >> intended addressee. Any dissemination, distribution, copying or action taken >> in reliance on the contents of this email by anyone other than the intended >> recipient is strictly prohibited. If you have received this email in error >> please immediately delete it and notify sender at the above CSX email >> address. Sender and CSX accept no liability for any damage caused directly >> or indirectly by receipt of this email. >> >> _______________________________________________ >> rsyslog mailing list >> BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED >> http://secure-web.cisco.com/1VFleKFU62iSgxqNp7l4hUrALjZPNml1KX8H5whJa >> 5 >> oq_EIR7mVvq0PfpjqvVRT7kK0VmKBVB4AqyW1kdMcUq8aUtz_WqttYsnMELiLEgsZ9kuk >> E >> 2qyWFcZsSBn8CFlvUF-skZIaIwiF0ajFqoZNZMGwOKGbOrB4ir28NlMIRH8X4nUYHFPQo >> l >> bDK9JlX3sDBGgMokxaETlthu6VFA7oB3m7qdps4AinoI4vEC5GaRumv7j9XF9LfVXSbQl >> U >> lLGkoA1O0QO-iDWIG29n1Ax0-1ehb-PB5FMXGUoV0MBJ1Ihj20CoP2MqKTTvTX_1zeYMD >> c >> P3e3Qj5iQwpplCbxx1bTXJ0HYDqxmwkpSWQj5e0QWC0qSxgaZ8aBAfUCp7dqVRI/http% >> 3 >> A%2F%2Fhttp://secure-web.cisco.com/1ul8T2f-pBCZvsnzERC1rffnv8-2oe_b8Y >> xnIJpAcwr8ti_8ic74cLuPEVAHheDnv9dI0uhcER9WWhFsQPV7mGOenpAG_WmRQ9d4GKj >> BbdcucEBuhjyTt31FpzOBg1aY8KlU2wQ8B95CuTbAzuJKLTUfjF_Ig3rj7MMeQZCLnc36 >> cMYGikNExd2JU4eGGl4ZDVbQTwViIzter19jlYh4oNRMzK0G0uPJKwsXoqtP5DVkFtDEC >> LxjywzjvcUmo1LJ4InRqQ9kYOgzKlVm1ms-Ssk4F8B6YyEoYPdO5k1IyDaUmm-oFoUwuU >> 6AZdBywKDg3VOsSD29XkmJoCdBLYhLrfnSutwELNk6xf-Ygadv_l4qrqPSG_wejMUwSBq >> RksGoi/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F >> What's up with rsyslog? Follow >> https://secure-web.cisco.com/1rQW9huc5s4E2rR8Jgt3WDPXRhEnsyncI4KzmYV0 >> r >> WfuNxxWQA2tJNmd73u_cwcmtrESyPxNL7o1R6F9PurmRw2wy6Bau5loGMOQwjOmJ__VZ6 >> 7 >> 8C0xz-z4KHAWn32ESCSEFTV1ivD5xFxua7uyfDcF9LxDrrkNxZePI56Oy5thHbg27ZYzO >> X >> nkoi_jl_NDAb5mkjCrLA5Jw9Dr-5VGa1g-taZjxBLHcyINLwvFBINfDnEicRO_IpmRmzO >> o >> EjmIwU7gX7Dn4qWD_VCFA71qk1ArL3KwRTuJl9YlclJ89yALDVePU18OBMkdA7XxlrH4L >> i >> d7jDDCVtC5eeF7cLkGIU9dodJbRGvxsSHyx1Zy4i_vGNIM-o-C5XGRmhojMF1VzLTMo29 >> t FfUkGXpMR9-0wcbw/https%3A%2F%2Ftwitter.com%2Frgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > http://secure-web.cisco.com/1VFleKFU62iSgxqNp7l4hUrALjZPNml1KX8H5whJa5 > oq_EIR7mVvq0PfpjqvVRT7kK0VmKBVB4AqyW1kdMcUq8aUtz_WqttYsnMELiLEgsZ9kukE > 2qyWFcZsSBn8CFlvUF-skZIaIwiF0ajFqoZNZMGwOKGbOrB4ir28NlMIRH8X4nUYHFPQol > bDK9JlX3sDBGgMokxaETlthu6VFA7oB3m7qdps4AinoI4vEC5GaRumv7j9XF9LfVXSbQlU > lLGkoA1O0QO-iDWIG29n1Ax0-1ehb-PB5FMXGUoV0MBJ1Ihj20CoP2MqKTTvTX_1zeYMDc > P3e3Qj5iQwpplCbxx1bTXJ0HYDqxmwkpSWQj5e0QWC0qSxgaZ8aBAfUCp7dqVRI/http%3 > A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > What's up with rsyslog? Follow > https://secure-web.cisco.com/1rQW9huc5s4E2rR8Jgt3WDPXRhEnsyncI4KzmYV0r > WfuNxxWQA2tJNmd73u_cwcmtrESyPxNL7o1R6F9PurmRw2wy6Bau5loGMOQwjOmJ__VZ67 > 8C0xz-z4KHAWn32ESCSEFTV1ivD5xFxua7uyfDcF9LxDrrkNxZePI56Oy5thHbg27ZYzOX > nkoi_jl_NDAb5mkjCrLA5Jw9Dr-5VGa1g-taZjxBLHcyINLwvFBINfDnEicRO_IpmRmzOo > EjmIwU7gX7Dn4qWD_VCFA71qk1ArL3KwRTuJl9YlclJ89yALDVePU18OBMkdA7XxlrH4Li > d7jDDCVtC5eeF7cLkGIU9dodJbRGvxsSHyx1Zy4i_vGNIM-o-C5XGRmhojMF1VzLTMo29t > FfUkGXpMR9-0wcbw/https%3A%2F%2Ftwitter.com%2Frgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > > _______________________________________________ > rsyslog mailing list > BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED > http://secure-web.cisco.com/1UN7XUO3Xbj7FEfKnOoGSTF3HTm9XHnA2bSTEZ7MlL > L0PGwaVMd9v67Rw1lcFzUy2RfTBuX1drCBOWliENzCREZZ6RM6GZir3V5MOYkjGWup1ywH > pVLVanO2r5OUUID2eOteDHDMkCmxU_jI5gdb56miZErjHmIVTt8sh_-emoaA00DF8Ht_f5 > jTrjMK8glTKtCC5HLBQWjczQ_KVNu2mvVYSefbTOKnsYgRzklGx7anLdXPrjgoF-53iuqn > kYzi0UBaw_yJAMLLxDrIRV3M8XI7enzWneXXfFYZzfLaDyajfJGi7gr1hmIN1jkqdTwfzy > EmU3M7oLGv2DA5FIxqCJSn-uWEP9iPFIBGbvTS-GSCoDHvV1ujfYnMh02-zNNmP/http%3 > A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F > What's up with rsyslog? Follow > https://secure-web.cisco.com/11HE8rxVpojlvMjvDY-KJV3JN_trdAR-yBThICqru > UdTS8nPAfb7w9M6c19xE9pI1CSq3DS-_sFZJIViejHu2HgMDUfsBiVlv2b6QiZPORLSbVX > 1agc_mBSlg9-VuJVT1DO6Dg9GC3RRPvwQNZVTZ8jw0wpguJnueY4Gmdz4Tzb05ENtxlif8 > co63Lkc6D4qaniLEe1PbPB2Jy5kytI4iLDFv5s4FMolhT17YxLKNYseaHaz2N7_WSGi5lK > ivkRa4YwGooqWRRg2rAGKScAPtCSHhJYDx0HMvwJCJlkeGOHwmK76ftgKC3BQw9_Ioiq7t > xY-RJ0kQQOK0xVQC3_IAMXVeTKhBG326jfccikM_XPuSwjpY3f4sXn1hg78siNMYKgI-k4 > bF4YWuQjjgICqvYA/https%3A%2F%2Ftwitter.com%2Frgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list BLOCKEDlists[.]adiscon[.]net/mailman/listinfo/rsyslogBLOCKED http://secure-web.cisco.com/1UN7XUO3Xbj7FEfKnOoGSTF3HTm9XHnA2bSTEZ7MlLL0PGwaVMd9v67Rw1lcFzUy2RfTBuX1drCBOWliENzCREZZ6RM6GZir3V5MOYkjGWup1ywHpVLVanO2r5OUUID2eOteDHDMkCmxU_jI5gdb56miZErjHmIVTt8sh_-emoaA00DF8Ht_f5jTrjMK8glTKtCC5HLBQWjczQ_KVNu2mvVYSefbTOKnsYgRzklGx7anLdXPrjgoF-53iuqnkYzi0UBaw_yJAMLLxDrIRV3M8XI7enzWneXXfFYZzfLaDyajfJGi7gr1hmIN1jkqdTwfzyEmU3M7oLGv2DA5FIxqCJSn-uWEP9iPFIBGbvTS-GSCoDHvV1ujfYnMh02-zNNmP/http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F What's up with rsyslog? Follow https://secure-web.cisco.com/11HE8rxVpojlvMjvDY-KJV3JN_trdAR-yBThICqruUdTS8nPAfb7w9M6c19xE9pI1CSq3DS-_sFZJIViejHu2HgMDUfsBiVlv2b6QiZPORLSbVX1agc_mBSlg9-VuJVT1DO6Dg9GC3RRPvwQNZVTZ8jw0wpguJnueY4Gmdz4Tzb05ENtxlif8co63Lkc6D4qaniLEe1PbPB2Jy5kytI4iLDFv5s4FMolhT17YxLKNYseaHaz2N7_WSGi5lKivkRa4YwGooqWRRg2rAGKScAPtCSHhJYDx0HMvwJCJlkeGOHwmK76ftgKC3BQw9_Ioiq7txY-RJ0kQQOK0xVQC3_IAMXVeTKhBG326jfccikM_XPuSwjpY3f4sXn1hg78siNMYKgI-k4bF4YWuQjjgICqvYA/https%3A%2F%2Ftwitter.com%2Frgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
