Thanks, John, let me try to clarify what I mean. Normally when I forward from a remote server to the central log server, I can include a tag that can then be used to determine the file name I want on the central server. Since I have no real way to include this tag from the appliance, this is not an option.
I'm looking for a way of inspecting the incoming packets to determining the source logfile name (which is included in the payload) and use that filename on the target central server. Since there are multiple logs being sent (access, audit, monitor, etc.), I'd like to segregate these into their own files. I'm already using a template with the host information to dynamically create the file names. I just don't know how I can go beyond this to also include the source logname. Here's the template I'm using. It works for all other hosts where I can configure the tag but I get garbage names from the appliance. I had hoped that the appliance included some standard syslog tags but it doesn't seem so. template(name="DynRemoteLogFile" type="string" string="/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%app-name%.log") *Scott Slattery* *Sr. Systems & Cloud Architect* *Cloud, Compute, Information & Architecture Team* motorolasolutions.com *O: 602.529.8226* *E*: [email protected] On Tue, Mar 23, 2021 at 3:30 PM John Chivian <[email protected]> wrote: > Your use of the term “file name” is confusing. When senders deliver to > rsyslog over the network there is no exchange of files or filenames, only > packets of information. Those packets are expected to be in a format that > syslog understands such that useful information (header elements and > message body) may be parsed from them. If you as the rsyslog admin choose > to use some of that header information to compose filenames for output > files, then yes you are sort of at the mercy of the senders content > (especially if the sender doesn’t follow the syslog rules). However, there > are functions in the advanced syntax that can be used to perform the type > of character replacements you’re talking about. > > It is common practice to use the syslog header/rsyslog property element > called “hostname” for just such purposes. Is this what you’re talking > about? You’d have to provide your configuration for real analysis, at > least the part you perceive to be responsible for the problem. > > Regards, > > > > > On Mar 23, 2021, at 12:35, Scott Slattery via rsyslog < > [email protected]> wrote: > > > > I have a configured central log collector using rsyslog. A few of the > > devices forwarding their logs are appliances that have no configuration > > options other than the IP forwarding address and protocol. I cannot > control > > what file names are being sent. > > > > Unfortunately, they are sending unintelligible file names with characters > > that normally would be escaped. Is there any way I can control or alter > the > > incoming file name to normalize it to avoid these odd characters? > > > > For example, could I establish a character map that maps the unallowed > > character to something acceptable? > > > > thanks, > > > > *Scott Slattery* > > > > *Sr. Systems & Cloud Architect* > > > > *Cloud, Compute, Information & Architecture Team* > > > > motorolasolutions.com > > > > *O: 602.529.822* > > > > *E*: [email protected] > > > > -- > > > > > > *For more information on how and why we collect your personal > > information, please visit our Privacy Policy > > < > https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement > >.* > > _______________________________________________ > > rsyslog mailing list > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=F25vuEW_UOr4xhEXRHv4FYzBC10xi8a7L7cY9KDJz-E&s=O-radZKC6RhALSGrunmgfnDcUe0FBEzQXlwVMv4rwrk&e= > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=F25vuEW_UOr4xhEXRHv4FYzBC10xi8a7L7cY9KDJz-E&s=Ujl6rNYsQwlkacdBkNSQI3_ugt9iTahsA2ALpSb1zWA&e= > > What's up with rsyslog? Follow > https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwIFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=9VZN8jOeh6Wq3zsBr6Mr_GSxmEpodGbXQ2UxP3oRpciBnWp1cJKyh3iyX6xKS_Zd&m=F25vuEW_UOr4xhEXRHv4FYzBC10xi8a7L7cY9KDJz-E&s=5gFALcKlKXLfCND69qR14lRU4iA42kMWjsC9PDoIb3Q&e= > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > -- *For more information on how and why we collect your personal information, please visit our Privacy Policy <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.* _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
