I just made the update and works fine... you're a genius. Thanks again.
*Scott Slattery*
*Sr. Systems & Cloud Architect*
*Cloud, Compute, Information & Architecture Team*
motorolasolutions.com
*O: 602.529.8226*
*E*: scott.slatt...@motorolasolutions.com
On Tue, Mar 16, 2021 at 2:55 PM David Lang <da...@lang.hm> wrote:
> so you have it configured that anything that arrives over port 10514 is
> processed by the ruleset "DynRemoteServer"
>
> which consists of the configuration:
>
> action(type="omfile" dynaFile="RemoteServer")
>
> after which it is done processing logs. So if you want to have any if
> statements
> about the source, you need to do it inside that ruleset.
>
> any other rules in the config are not evaluated for the logs that arrive
> via
> this input.
>
> David Lang
>
>
> On Tue, 16 Mar 2021, Scott Slattery wrote:
>
> > Date: Tue, 16 Mar 2021 14:43:58 -0700
> > From: Scott Slattery <scott.slatt...@motorolasolutions.com>
> > To: David Lang <da...@lang.hm>
> > Cc: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] Ruleset on IMTCP (or IMPTCP)
> >
> > Thanks David, here's what I have but doesn't seem to be working. Part of
> > the problem, as I mentioned, is I can't make a major change that would
> > impact all the logs coming from the various sources. This is a central
> > collector. So, what I'm trying to do is to selectively handle input logs
> > from a single source. In this case it's server 10.40.83.207.
> >
> > The overall objective is to change the logfile name format for a specific
> > source using this template. :
> >
> > template(name="RemoteServer1" type="string"
> >
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
> >
> > If an input comes in on IMTCP from this source, I want to apply the
> > template above, otherwise, I want to apply this template:
> > template(name="RemoteServer" type="string"
> > string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
> >
> > The latter template is currently the template bound to my imtcp module
> but
> > I can't make a modification to it because it is used for all inbound tcp
> > logs. I have a specific log naming format I need to apply to a single
> > source for now as a test. Subject to the test working, it will be applied
> > to all logs but to just drop it in and impact all logs isn't acceptable.
> I
> > also can't just add a secondary listener due to firewall rules that would
> > take too long to get updated just for a test.
> >
> >
> > Here's the relevant configuration as it is. It validates fine (rsyslogd
> -N
> > 1) but I am not seeing the new logfile name format from the rule. The old
> > format is still being applied even to the target IP logs.
> >
> > #### RULES ####
> >
> > template(name="RemoteServer" type="string"
> > string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
> > template(name="RemoteServer1" type="string"
> >
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
> >
> > ruleset(name="DynRemoteServer"){
> > action(type="omfile" dynaFile="RemoteServer")
> > }
> >
> > # module imptcp
> > module(load="imptcp" threads="8" ProcessOnPoller="off")
> >
> > # to test new log file name rules
> > if $fromhost-ip == '10.40.83.207' then {
> > action(type="omfile" dynafile="RemoteServer1")
> > stop
> > }
> >
> > input(type="imptcp" port="10514" ruleset="DynRemoteServer")
> >
> > #kern.* /dev/console
> > *.info;mail.none;authpriv.none;cron.none /var/log/messages
> > authpriv.* /var/log/secure
> > mail.* /var/log/maillog
> > cron.* /var/log/cron
> > *.emerg :omusrmsg:*
> > uucp,news.crit /var/log/spooler
> > local7.* /var/log/boot.log
> > ~
> >
> > I hope this helps better understand my objective and thanks for your
> help.
> >
> > *Scott Slattery*
> >
> > *Sr. Systems & Cloud Architect*
> >
> > *Cloud, Compute, Information & Architecture Team*
> >
> > motorolasolutions.com
> >
> > *O: 602.529.8226*
> >
> > *E*: scott.slatt...@motorolasolutions.com
> >
> >
> >
> >
> > On Tue, Mar 16, 2021 at 2:31 PM David Lang <da...@lang.hm> wrote:
> >
> >> yes, you cn create a ruleset for an input and then have it contain a
> rule
> >> for a
> >> specific host, or you can call a ruleset after an if statement
> >>
> >> I don't understand fully what you are trying to do that makes this hard.
> >>
> >> do you have an example of a config that you think should work that
> doesn't?
> >>
> >> David Lang
> >>
> >> On Tue, 16 Mar 2021, Scott Slattery via rsyslog wrote:
> >>
> >>> Date: Tue, 16 Mar 2021 13:48:20 -0700
> >>> From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog-users <rsyslog@lists.adiscon.com>
> >>> Cc: Scott Slattery <scott.slatt...@motorolasolutions.com>
> >>> Subject: [rsyslog] Ruleset on IMTCP (or IMPTCP)
> >>>
> >>> Is it possible to selectively apply a dynamic file template to input
> from
> >>> IMTCP based on a specific host like the following?
> >>>
> >>> ##### Rule ####
> >>> if $fromhost-ip == '10.40.83.207' then {
> >>> action(type="omfile" dynafile="RemoteServer1")
> >>> stop
> >>> }
> >>>
> >>> input(type="imptcp" port="10514" ruleset="RemoteServer")
> >>>
> >>> ##### End Rule ####
> >>>
> >>> My log files are on a central log collector (where this rule is
> applied)
> >>> but it doesn't seem to be working. No error in when I validate syntax
> but
> >>> no logfiles as expected.
> >>>
> >>> Since my central log collector is behind a firewall, I can't easily
> (nor
> >>> quickly) add an additional bind port with another input so I'm trying
> to
> >>> prototype the above logic using a rule.
> >>>
> >>> I also don't want to apply the rule to every incoming TCP logfile
> until I
> >>> have performed this validation.
> >>>
> >>> Any guidance is much appreciated.
> >>>
> >>> *Scott Slattery*
> >>>
> >>>
> >>
> >
> >
>
--
*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
