%%DAYS% ?
On Tue, 12 May 2020 at 20:40, Soham Chakraborty via rsyslog <[email protected]> wrote: > > Hi, > > I have a query regarding rsyslog template. > > Before I describe the problem let me explain the background. We are > planning to receive logs from different networking equipment and > firewall. Those logs will be sent over to two rsyslog servers which > will in turn send them to splunk. We want to separate the logs as per > the originating hostname and save in separate files in individual, > separate directories. > > The following is an example of such configuration: > > # cat cyberark.conf > input(type="imtcp" port="9514" ruleset="cyberark_logs") > ruleset(name="cyberark_logs" > queue.type="fixedArray" > queue.size="250000" > queue.dequeueBatchSize="4096" > queue.workerThreads="4" > queue.workerThreadMinimumMessages="60000" > > ) { > $FileOwner splunk > $FileGroup splunk > $DirOwner splunk > $DirGroup splunk > $DirCreateMode 0755 > $FileCreateMode 0640 > $RulesetCreateMainQueue > $Template > Dynafile2,"/opt/data/syslog/cyberark/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" > *.*-?Dynafile2 > } > > 1) Now my confusion is about the template naming scheme. Right now all > of the configurations have these lines: > > $Template Dynafile2,"FILEPATH_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" > *.*-?Dynafile2 > > How can/should I change the names of the templates? Shall I make it like: > > $Template > cyberark,"/opt/data/syslog/cyberark/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" > *.*-?cyberark > > 2) Based on the above full configuration snippet, is there any > modification that I can make so that the configuration is easier to > read/understand? In other words, any improvement tips? > > Thanks, > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
