As long as you’re not doing any type of filtering / if..then on $fromhost-ip (or similar variable), you can setup a filter on something like prifilt and it’ll capture anything - local or remote. E.g.:
if prifilt("authpriv.*") then { action( name = "LOCAL_MessagesToFile" type = "omfile" dynaFile = "LOCAL_MessagesFileTemplate" sync = "on" template = "RSYSLOG_TraditionalFileFormat" ) stop } Andrew Griffin Apple ETS / Integration Services 1 Infinite Loop, 175-DR Cupertino, CA 95014, USA Office 408-783-8348 iPhone 916-897-4335 andrew_grif...@apple.com This email and any attachments may be privileged and may contain confidential information intended only for the recipient(s) named above. Any other distribution, forwarding, copying or disclosure of this message is strictly prohibited. If you have received this email in error, please notify me immediately by telephone or return email, and delete this message from your system. > On Jul 19, 2017, at 8:37 AM, deoren > <rsyslog-users-lists.adiscon....@whyaskwhy.org> wrote: > > I've setup a ruleset that is applied to messages arriving from remote systems > via imrelp. One action within that ruleset matches on auth facility messages > and places them into a "combined" auth log file. Additionally an alert is > generated via ommail for matching patterns (SSH logins). > > In addition to log entries from remote systems arriving via imrelp, I'd like > to also capture local auth messages and route them into the combined file as > well. The workaround (for now at least) appears to be duplicating the ommail > alert action for the local ruleset. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.