Thanks David, here's what I have but doesn't seem to be working. Part of
the problem, as I mentioned, is I can't make a major change that would
impact all the logs coming from the various sources. This is a central
collector. So, what I'm trying to do is to selectively handle input logs
from a single source. In this case it's server 10.40.83.207.
The overall objective is to change the logfile name format for a specific
source using this template. :
template(name="RemoteServer1" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
If an input comes in on IMTCP from this source, I want to apply the
template above, otherwise, I want to apply this template:
template(name="RemoteServer" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
The latter template is currently the template bound to my imtcp module but
I can't make a modification to it because it is used for all inbound tcp
logs. I have a specific log naming format I need to apply to a single
source for now as a test. Subject to the test working, it will be applied
to all logs but to just drop it in and impact all logs isn't acceptable. I
also can't just add a secondary listener due to firewall rules that would
take too long to get updated just for a test.
Here's the relevant configuration as it is. It validates fine (rsyslogd -N
1) but I am not seeing the new logfile name format from the rule. The old
format is still being applied even to the target IP logs.
#### RULES ####
template(name="RemoteServer" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
template(name="RemoteServer1" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
ruleset(name="DynRemoteServer"){
action(type="omfile" dynaFile="RemoteServer")
}
# module imptcp
module(load="imptcp" threads="8" ProcessOnPoller="off")
# to test new log file name rules
if $fromhost-ip == '10.40.83.207' then {
action(type="omfile" dynafile="RemoteServer1")
stop
}
input(type="imptcp" port="10514" ruleset="DynRemoteServer")
#kern.* /dev/console
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
~
I hope this helps better understand my objective and thanks for your help.
*Scott Slattery*
*Sr. Systems & Cloud Architect*
*Cloud, Compute, Information & Architecture Team*
motorolasolutions.com
*O: 602.529.8226*
*E*: scott.slatt...@motorolasolutions.com
On Tue, Mar 16, 2021 at 2:31 PM David Lang <da...@lang.hm> wrote:
> yes, you cn create a ruleset for an input and then have it contain a rule
> for a
> specific host, or you can call a ruleset after an if statement
>
> I don't understand fully what you are trying to do that makes this hard.
>
> do you have an example of a config that you think should work that doesn't?
>
> David Lang
>
> On Tue, 16 Mar 2021, Scott Slattery via rsyslog wrote:
>
> > Date: Tue, 16 Mar 2021 13:48:20 -0700
> > From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Scott Slattery <scott.slatt...@motorolasolutions.com>
> > Subject: [rsyslog] Ruleset on IMTCP (or IMPTCP)
> >
> > Is it possible to selectively apply a dynamic file template to input from
> > IMTCP based on a specific host like the following?
> >
> > ##### Rule ####
> > if $fromhost-ip == '10.40.83.207' then {
> > action(type="omfile" dynafile="RemoteServer1")
> > stop
> > }
> >
> > input(type="imptcp" port="10514" ruleset="RemoteServer")
> >
> > ##### End Rule ####
> >
> > My log files are on a central log collector (where this rule is applied)
> > but it doesn't seem to be working. No error in when I validate syntax but
> > no logfiles as expected.
> >
> > Since my central log collector is behind a firewall, I can't easily (nor
> > quickly) add an additional bind port with another input so I'm trying to
> > prototype the above logic using a rule.
> >
> > I also don't want to apply the rule to every incoming TCP logfile until I
> > have performed this validation.
> >
> > Any guidance is much appreciated.
> >
> > *Scott Slattery*
> >
> >
>
--
*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
