Quoting Yuri Bushmelev <[email protected]>:
Hello!
Please consider to stop useing the $ThisConfigSyntaxStyle as "it will make
your life miserable" (c) Reiner Gerhards .. There is nice new syntax made
more than 10 years ago.
I guess this is more or less what you're looking for:
```
input(type="imptcp" name="remote_tcp" port="514" ruleset="remote1")
template(name="TmplVPXMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/netscalerlog")
template(name="TmplAppfwMsg" type="string"
string="/var/log/remote/netscaler/%HOSTNAME%/appfwlog")
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
ruleset(name="remote1") {
if $msg contains 'VPX' then {
action(type="omfile" name="netscaler_vpx_file"
dynaFile="TmplNetscalerMsg")
} else if $msg contains 'br01' then {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
} else if $msg contains 'appfw' then {
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplAppfwMsg")
}
}
```
There is still some space for improvements though. I'd suggest creating
different inputs for different kinds of logs. This way you can speedup
processing a bit (because `if $msg contains ...` is slow). Do not overuse
local variables though ($.something).
```
# Assuming VPX and appfw logs are coming from the same device
# Otherwise easier to create one more input and remove `if $msg contains`
completely
input(type="imptcp" name="netscaler" port="2514" ruleset="netscaler")
input(type="imptcp" name="cisco_router" port="2515" ruleset="cisco_router")
# /var/log/remote/netscaler/%HOSTNAME%/<vpx|appfw>log
template(name="TmplNetscalerMsg" type="list" {
constant(value="/var/log/remote/netscaler/")
property(name="hostname")
constant(value="/")
property(name="$.ns_type")
constant(value="log")
}
template(name="TmplCiscoRouterMsg" type="string"
string="/var/log/remote/cisco/router/%HOSTNAME%/routerlog")
ruleset(name="netscaler") {
if $msg contains 'VPX' then {
set $.ns_type = "vpx";
} else if $msg contains 'appfw' then {
set $.ns_type = "appfw";
} else {
set $.ns_type = "UNKNOWN";
}
action(type="omfile" name="netscaler_appfw_file"
dynaFile="TmplNetscalerMsg")
}
ruleset(name="cisco_router") {
action(type="omfile" name="cisco_router_file"
dynaFile="TmplCiscoRouterMsg")
}
```
All this knowledge I got from reading the Rsyslog docs here:
https://www.rsyslog.com/doc/v8-stable/configuration/index.html
Yes, it's not that well structured but still worth reading if you're using
Rsyslog a lot.
On Thu, 9 Sept 2021 at 13:53, lists--- via rsyslog <
[email protected]> wrote:
I can successfully have logs going to the correct files under
/var/log/remote/%HOSTNAME%/whatever, with the following template:
$template TmplAuthpriv, "/var/log/remote/%HOSTNAME%/secure"
$template TmplMsg, "/var/log/remote/%HOSTNAME%/messages"
$template TmplCron, "/var/log/remote/%HOSTNAME%/cron"
$template TmplMail, "/var/log/remote/smtp/%HOSTNAME%/maillog"
$template TmplCmd, "/var/log/remote/%HOSTNAME%/cmd"
and following ruleset:
$RuleSet justlogs
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset
$InputTCPServerBindRuleset justlogs
$InputTCPServerRun 514
And direct some logs into specific folders, a la:
ruleset(name="remote1"){
if $msg contains 'VPX' then {
action(type="omfile"
file="/var/log/remote/netscaler/netscalerlog")
}
if $msg contains 'br01' then {
action(type="omfile"
file="/var/log/remote/cisco/router/routerlog")
}
if $msg contains 'appfw' then {
action(type="omfile"
file="/var/log/remote/netscaler/appfwlog")
}
}
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching
back to the default rule set
$InputTCPServerBindRuleset remote1 #Define a new input and bind it
to the "remote1" rule set
$InputTCPServerRun 514
But not both at the same time! I've tried smashing the rulesets
together, but no joy.
Reading the manual makes my brain hurt. And the online rsyslog.conf
builder isn't working for me.
Pointers appreciated!
TIA
Pete
--
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
--
Yury Bushmelev
Thanks Yuri
This is all good, but rsyslog doesn't like the config!
rsyslogd: version 8.24.0-57.el7_9.1, config validation run (level 1),
master config /etc/rsyslog.conf
|
rsyslogd: input module name 'imptcp' is unknown [v8.24.0-57.el7_9.1
try http://www.rsyslog.com/e/2209 ]
|
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
line 101: parameter 'ruleset' not known -- typo in config file?
[v8.24.0-57.el7_9.1 try http
://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
line 101: parameter 'port' not known -- typo in config file?
[v8.24.0-57.el7_9.1 try http://
www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
line 101: parameter 'name' not known -- typo in config file?
[v8.24.0-57.el7_9.1 try http://
www.rsyslog.com/e/2207 ]
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
