Hi David/All, thanks for your reply.
I have below relevant logs in default file '/var/log/messages' - *<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="idle Timeout" source-address="100.73.10.92" source-port="52890" destination-address="58.68.126.198" destination-port="53" service-name="junos-dns-udp" nat-source-address="58.78.140.131" nat-source-port="11152" nat-destination-address="58.68.126.198" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"]* but when I'm filtering/redirecting specific logs to separate file/directory by using template 'TmplDcpFW' (config file below), I just have below header info in new file- *2018-10-09T14:37:06.918Z TestFW2 RT_FLOW* Can you please help what I need to add to have the the required format in new file? Below is the file /etc/rsyslog.conf: #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 ## For redirecting the NationalIP FW logs to specific file/directory $template TmplDcpFW, "/var/log/FW/%HOSTNAME%.log" if ($hostname == ["TestFW1", "TestFW2"]) then { *.* ?TmplDcpFW } & ~ #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log On Thu, Sep 6, 2018 at 8:03 PM David Lang <[email protected]> wrote: > On Thu, 6 Sep 2018, sarjit yadav via rsyslog wrote: > > > I am working on implementation of syslog server and running rsyslog sw > > version="8.24.0 on CentOS. > > > > Currently all logs from client are written in /var/log/message file and > > looking suggestions to achieve - > > - ONLY write logs from specific host to dedicated partition > > (/var/log/%hosts%/<file-name>.log) > > look at the dynafile options for writing to different directories easily. > > As far as only doing this for some hosts, not all hosts. If it's a small > number > of hosts you can do something like > > if $hostname == ["foo", "bar", "baz"] then { > #write to file > } > > if it's a large number of hosts, you may want to look at the table lookup > feature. > > you can then use the "stop" action to prevent any other processing being > done to > the logs that you handle one way > > > - Keep storage of these logs files on syslog server and also send to > > another FTP server via pull/push (track sent logs files via separate > > directories ?) > > rsyslog is not really setup to move files by ftp/etc. Rsyslog really > doesn't > know much about files, it does everything by individual message. The > "syslog > way" is to just forward the messages to the syslog daemon on the remote > machine > and have it write to the files you want there. > > David Lang > -- Regards Sarjit Singh *(**: +91-8806664923* _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
