Hello,
Confession... I'm still learning rsyslog after many years of working with
syslog-ng. I'm using rsyslog-8.4.0-8.3 on a SLES12.1 system and am trying to
capture my ESXi host logs.
Here is my current filter for those:
cat /etc/rsyslog.d/ESXi.conf
template(name="ESXi_app" type="string"
string="/var/splunk-syslog/ESXi/%FROMHOST%/%FROMHOST%-%$NOW%.log")
if $hostname startswith ["cdcubde",
"sdcubde",
"sdcubpe",
"cdcubpe",
"cdcubdmz",
"cdcurpe",
"sdcurpe"]
then {
action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
dynaFile="ESXi_app")
}
else {
if $programname contains ["Hostd",
"Vpxa",
"xmlns",
"soapenv",
"cdcubpe02"]
then {
action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
dynaFile="ESXi_app")
}
stop }
I added the extra "else/if" because even though the 'startwith' was mostly
working, it wasn't working 100%. And, now even with the extra else/if some
messages are still falling through to my "Unknownl" and I don't understand why.
Example message that is falling through -
cat Unknown/cdcubdmz01.mycompany.com/cdcubdmz01.mycompany.com-2016-12-01.log
2016-12-01T10:01:22.690936-05:00 cdcubdmz01.mycompay.com soapenv:
Body><HostImageConfigGetAcceptanceResponse
xmlns='urn:vim25'><returnval>partner</returnval></HostImageConfigGetAcceptanceResponse></soapenv:Body></soapenv:Envelope>
I'm using different configs in /etc/rsyslog.d/ for the different filters
(ESXi, FireEye, PaloAlto, etc), then my Unknown filter is in the
/etc/rsyslog.conf file. Is that approach wrong?
>From my rsyslog.conf:
template(name="Unknown" type="string"
string="/var/splunk-syslog/Unknown/%HOSTNAME%/%FROMHOST%-%$NOW%.log")
*.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
dynaFile="Unknown")
Any help would be greatly appreciated.
Thanks,
Patrick
----------------------------------------------------------------------
This email and any files transmitted with it are confidential and intended
solely for the use of the addressee. If you are not the intended addressee,
then you have received this email in error and any use, dissemination,
forwarding, printing, or copying of this email is strictly prohibited. Please
notify us immediately of your unintended receipt by reply and then delete this
email and your reply. Tyson Foods, Inc. and its subsidiaries and affiliates
will not be held liable to any person resulting from the unintended or
unauthorized use of any information contained in this email or as a result of
any additions or deletions of information originally contained in this email.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
