the exact same syntax that worked prior to v8 should still work.
in the new action() format, you need to set the dynafile template to hve things like the date work (like they did with the prior one)
what files are created when you use the remotehost template? David Lang On Fri, 5 Mar 2021, linksonice via rsyslog wrote:
Date: Fri, 5 Mar 2021 08:42:35 -0700 (MST) From: linksonice via rsyslog <[email protected]> To: [email protected] Cc: linksonice <[email protected]> Subject: Re: [rsyslog] another n00b question about logging clients logs to their own directories based on hostnames It's possible the trailing / in the older block was some kind of after-effect of this nabble website's content parser after I tried posting the block in italics earlier ; I'm not actually putting that in the /etc/rsyslog.conf. So I tried this, based on your last comment: template(name="RemoteHost" type="string" string="/var/log/external/%HOSTNAME%/windows_events-%$YEAR%%$MONTH%%$DAY%.log") # Remote Logging $RuleSet remote ?RemoteHost ### previously I had *.* ?Remotehost but frankly I'm not sure what you mean by "try logging with ?REMOTEHOST", and how this is any different from what I had before. In any case, it just doesn't work. I need a little bit more explicit information. :D ### Apart from all of the above, I've made some progress in the meantime using a whole different method, as follows: if $fromhost-ip == '10.10.20.25' then { action(type="omfile" file="/var/log/external/ISS-Delta-CS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log") stop } so if I make a block of code for every single remote client like that, the objective is achieved! i.e. all remote clients log events to their own log files. The only trouble is, the filename is duff - the %$YEAR%%$MONTH%%$DAY% thing is taken literally: [root@aws-delta-mon etc]# ls -lrt /var/log/external/ISS-Delta-TS1/windows_events-%\$YEAR%%\$MONTH%%\$DAY%.log -rw------- 1 root root 19002 Mar 5 15:33 '/var/log/external/ISS-Delta-TS1/windows_events-%$YEAR%%$MONTH%%$DAY%.log' This being said, I could maybe do away with the %$YEAR%%$MONTH%%$DAY% thing altogether and maybe try logging like so: if $fromhost-ip == '10.10.20.25' then { action(type="omfile" file="/var/log/external/$fromhost-ip_windows_events.log") stop } and then just rotate those logs, BUT ... there has to be a better way of doing all this in just a few lines, surely, like previous to v8? cheers -- Sent from: http://rsyslog-users.1305293.n2.nabble.com/ _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
