Re: [rsyslog] Struggling with the basics - trying to filter on text AND have logs go to /var/log/remote/yadayada

Wed, 08 Sep 2021 22:59:34 -0700

look at the dynafile option for the action() statement (in the omfile page of the docs) 

David Lang

On Thu, 9 Sep 2021, lists--- via rsyslog wrote:


Date: Thu, 09 Sep 2021 06:53:42 +0100
From: lists--- via rsyslog <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: [rsyslog] Struggling with the basics - trying to filter on text AND
    have logs go to /var/log/remote/yadayada
I can successfully have logs going to the correct files under /var/log/remote/%HOSTNAME%/whatever, with the following template: 

$template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
$template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
$template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
$template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
$template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"

and following ruleset:

$RuleSet justlogs
*.info;mail.none;authpriv.none;cron.none   ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset
$InputTCPServerBindRuleset justlogs
$InputTCPServerRun 514


And direct some logs into specific folders, a la:

ruleset(name="remote1"){
        if $msg contains 'VPX' then {
action(type="omfile" file="/var/log/remote/netscaler/netscalerlog") 
        }
        if $msg contains 'br01' then {
action(type="omfile" file="/var/log/remote/cisco/router/routerlog") 
        }
        if $msg contains 'appfw' then {
action(type="omfile" file="/var/log/remote/netscaler/appfwlog") 
        }
}
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set $InputTCPServerBindRuleset remote1 #Define a new input and bind it to the "remote1" rule set 
$InputTCPServerRun 514
But not both at the same time! I've tried smashing the rulesets together, but no joy.
Reading the manual makes my brain hurt. And the online rsyslog.conf builder isn't working for me. 

Pointers appreciated!

TIA

Pete


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to