As long as you’re not doing any type of filtering / if..then on $fromhost-ip (or similar variable), you can setup a filter on something like prifilt and it’ll capture anything - local or remote. E.g.:
if prifilt("authpriv.*") then {
action(
name = "LOCAL_MessagesToFile"
type = "omfile"
dynaFile = "LOCAL_MessagesFileTemplate"
sync = "on"
template = "RSYSLOG_TraditionalFileFormat"
)
stop
}
Andrew Griffin
Apple
ETS / Integration Services
1 Infinite Loop, 175-DR
Cupertino, CA 95014, USA
Office 408-783-8348
iPhone 916-897-4335
andrew_grif...@apple.com
This email and any attachments may be privileged and may contain confidential
information intended only for the recipient(s) named above. Any other
distribution, forwarding, copying or disclosure of this message is strictly
prohibited. If you have received this email in error, please notify me
immediately by telephone or return email, and delete this message from your
system.
> On Jul 19, 2017, at 8:37 AM, deoren
> <rsyslog-users-lists.adiscon....@whyaskwhy.org> wrote:
>
> I've setup a ruleset that is applied to messages arriving from remote systems
> via imrelp. One action within that ruleset matches on auth facility messages
> and places them into a "combined" auth log file. Additionally an alert is
> generated via ommail for matching patterns (SSH logins).
>
> In addition to log entries from remote systems arriving via imrelp, I'd like
> to also capture local auth messages and route them into the combined file as
> well. The workaround (for now at least) appears to be duplicating the ommail
> alert action for the local ruleset.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
