Re: [rsyslog] another n00b question about logging clients logs to their own directories based on hostnames

Fri, 05 Mar 2021 07:42:45 -0800 

It's possible the trailing / in the older block was some kind of after-effect
of this nabble website's content parser after I tried posting the block in
italics earlier ; I'm not actually putting that in the /etc/rsyslog.conf.

So I tried this, based on your last comment:

template(name="RemoteHost" type="string"
string="/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log")

# Remote Logging
$RuleSet remote
?RemoteHost   ### previously I had *.* ?Remotehost

but frankly I'm not sure what you mean by "try logging with ?REMOTEHOST",
and how this is any different from what I had before. In any case, it just
doesn't work. I need a little bit more explicit information. :D

###

Apart from all of the above, I've made some progress in the meantime using a
whole different method, as follows:

if $fromhost-ip == '10.10.20.25' then {
        action(type="omfile"
file="/var/log/external/ISS-Delta-CS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log")
        stop
    }

so if I make a block of code for every single remote client like that, the
objective is achieved! i.e. all remote clients log events to their own log
files.

The only trouble is, the filename is duff - the %$YEAR%%$MONTH%%$DAY% thing
is taken literally:

[root@aws-delta-mon etc]# ls -lrt
/var/log/external/ISS-Delta-TS1/windows_events-%\$YEAR%%\$MONTH%%\$DAY%.log
-rw------- 1 root root 19002 Mar  5 15:33
'/var/log/external/ISS-Delta-TS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log'

This being said, I could maybe do away with the %$YEAR%%$MONTH%%$DAY% thing
altogether and maybe try logging like so:

if $fromhost-ip == '10.10.20.25' then {
        action(type="omfile"
file="/var/log/external/$fromhost-ip_windows_events.log")
        stop
    }

and then just rotate those logs, BUT ... there has to be a better way of
doing all this in just a few lines, surely, like previous to v8?

cheers



--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to