Re: [rsyslog] Ruleset on IMTCP (or IMPTCP)

Tue, 16 Mar 2021 14:55:56 -0700

so you have it configured that anything that arrives over port 10514 is processed by the ruleset "DynRemoteServer" 

which consists of the configuration:

   action(type="omfile" dynaFile="RemoteServer")
after which it is done processing logs. So if you want to have any if statements about the source, you need to do it inside that ruleset.
any other rules in the config are not evaluated for the logs that arrive via this input. 

David Lang


On Tue, 16 Mar 2021, Scott Slattery wrote:


Date: Tue, 16 Mar 2021 14:43:58 -0700
From: Scott Slattery <scott.slatt...@motorolasolutions.com>
To: David Lang <da...@lang.hm>
Cc: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Ruleset on IMTCP (or IMPTCP)

Thanks David, here's what I have but doesn't seem to be working. Part of
the problem, as I mentioned, is I can't make a major change that would
impact all the logs coming from the various sources. This is a central
collector. So, what I'm trying to do is to selectively handle input logs
from a single source. In this case it's server 10.40.83.207.

The overall objective is to change the logfile name format for a specific
source using this template. :

template(name="RemoteServer1" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")

If an input comes in on IMTCP from this source, I want to apply the
template above, otherwise, I want to apply this template:
template(name="RemoteServer" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")

The latter template is currently the template bound to my imtcp module but
I can't make a modification to it because it is used for all inbound tcp
logs. I have a specific log naming format I need to apply to a single
source for now as a test. Subject to the test working, it will be applied
to all logs but to just drop it in and impact all logs isn't acceptable. I
also can't just add a secondary listener due to firewall rules that would
take too long to get updated just for a test.


Here's the relevant configuration as it is. It validates fine (rsyslogd -N
1) but I am not seeing the new logfile name format from the rule. The old
format is still being applied even to the target IP logs.

#### RULES ####

template(name="RemoteServer" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
template(name="RemoteServer1" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")

ruleset(name="DynRemoteServer"){
       action(type="omfile" dynaFile="RemoteServer")
}

# module imptcp
module(load="imptcp" threads="8" ProcessOnPoller="off")

# to test new log file name rules
if $fromhost-ip == '10.40.83.207' then {
       action(type="omfile" dynafile="RemoteServer1")
       stop
}

input(type="imptcp" port="10514" ruleset="DynRemoteServer")

#kern.*                                         /dev/console
*.info;mail.none;authpriv.none;cron.none        /var/log/messages
authpriv.*                                      /var/log/secure
mail.*                                          /var/log/maillog
cron.*                                          /var/log/cron
*.emerg                                         :omusrmsg:*
uucp,news.crit                                  /var/log/spooler
local7.*                                        /var/log/boot.log
~

I hope this helps better understand my objective and thanks for your help.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: scott.slatt...@motorolasolutions.com




On Tue, Mar 16, 2021 at 2:31 PM David Lang <da...@lang.hm> wrote:


yes, you cn create a ruleset for an input and then have it contain a rule
for a
specific host, or you can call a ruleset after an if statement

I don't understand fully what you are trying to do that makes this hard.

do you have an example of a config that you think should work that doesn't?

David Lang

On Tue, 16 Mar 2021, Scott Slattery via rsyslog wrote:


Date: Tue, 16 Mar 2021 13:48:20 -0700
From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Scott Slattery <scott.slatt...@motorolasolutions.com>
Subject: [rsyslog] Ruleset on IMTCP (or IMPTCP)

Is it possible to selectively apply a dynamic file template to input from
IMTCP based on a specific host like the following?

##### Rule ####
if $fromhost-ip == '10.40.83.207' then {
       action(type="omfile" dynafile="RemoteServer1")
       stop
}

input(type="imptcp" port="10514" ruleset="RemoteServer")

##### End Rule ####

My log files are on a central log collector (where this rule is applied)
but it doesn't seem to be working. No error in when I validate syntax but
no logfiles as expected.

Since my central log collector is behind a firewall, I can't easily (nor
quickly) add an additional bind port with another input so I'm trying to
prototype the above logic using a rule.

I also don't want to apply the rule to every incoming TCP logfile until I
have performed this validation.

Any guidance is much appreciated.

*Scott Slattery*








_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to