Rsyslog filtering -

-

how can forward different app/service log messages 1 server central rsyslog server ? clarification : server1:swift(all in one) server2:rsyslog swift log location :/var/log/swift/all/log(server1) sshd log location:/var/log/secure(server1)

i want store swift , sshd log in server2 in different location,the issue server2 taking logs in different location both location storing log both all.log , secure !! how can filter ?

this server1(swift) rsyslog.conf

#### modules ####  # imjournal module bellow used message source instead of imuxsock. $modload imuxsock # provides support local system logging (e.g. via logger command) $modload imjournal # provides access systemd journal #$modload imklog # reads kernel messages (the same read journald) #$modload immark  # provides --mark-- message capability  # provides udp syslog reception #$modload imudp #$udpserverrun 514  # provides tcp syslog reception #$modload imtcp #$inputtcpserverrun 514   #swift log forward remote rsyslog server $modload imfile $inputfilename /var/log/swift/all.log $inputfiletag swift-log $inputfilestatefile swift-log $inputfileseverity info $inputfilefacility local7 $inputrunfilemonitor local7.*                  @rsyslog.labtest.com  #sshd log forward remote rsyslog server $modload imfile $inputfilename /var/log/secure $inputfiletag sshd $inputfilestatefile var-log-secure $inputfileseverity info $inputfilefacility local7 $inputrunfilemonitor  # send on tcp # local7.*                                @@rsyslog.labtest.com # # send on udp local7.*                  @rsyslog.labtest.com #### global directives ####  # place auxiliary files $workdirectory /var/lib/rsyslog  # use default timestamp format $actionfiledefaulttemplate rsyslog_traditionalfileformat  # file syncing capability disabled default. feature not required, # not useful , extreme performance hit #$actionfileenablesync on  # include config files in /etc/rsyslog.d/ $includeconfig /etc/rsyslog.d/*.conf  # turn off message reception via local log socket; # local messages retrieved through imjournal now. $omitlocallogging on  # file store position in journal $imjournalstatefile imjournal.state   #### rules ####  # log kernel messages console. # logging else clutters screen. #kern.*                                                 /dev/console  # log (except mail) of level info or higher. # don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none                /var/log/messages  # authpriv file has restricted access. authpriv.*                                              /var/log/secure  # log mail messages in 1 place. mail.*                                                  -/var/log/maillog                                                                                                                                                                                                    38,1          56%      }

and server2(rsyslog) rsyslog.conf

# rsyslog configuration file  # more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # if experience problems, see http://www.rsyslog.com/doc/troubleshoot.html  #### modules ####  # imjournal module bellow used message source instead of imuxsock. $modload imuxsock # provides support local system logging (e.g. via logger command) $modload imjournal # provides access systemd journal #$modload imklog # reads kernel messages (the same read journald) #$modload immark  # provides --mark-- message capability  # provides udp syslog reception $modload imudp $udpserverrun 514  # provides tcp syslog reception $modload imtcp $inputtcpserverrun 514   #### global directives ####  # place auxiliary files $workdirectory /var/lib/rsyslog  # use default timestamp format $actionfiledefaulttemplate rsyslog_traditionalfileformat  # file syncing capability disabled default. feature not required, # not useful , extreme performance hit #$actionfileenablesync on  # include config files in /etc/rsyslog.d/ $includeconfig /etc/rsyslog.d/*.conf  # turn off message reception via local log socket; # local messages retrieved through imjournal now. $omitlocallogging on  # file store position in journal $imjournalstatefile imjournal.state  #### rules ####  #:fromhost, isequal, "swift.labtest.com" /var/log/swift.log #:fromhost, isequal, "swift.labtest.com" ~     # log kernel messages console. # logging else clutters screen. #kern.*                                                 /dev/console  # log (except mail) of level info or higher. # don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none                /var/log/messages  # authpriv file has restricted access. authpriv.*                                              /var/log/secure  # log mail messages in 1 place. mail.*                                                  -/var/log/maillog   # log cron stuff cron.*                                                  /var/log/cron  # gets emergency messages *.emerg                                                 :omusrmsg:*  # save news errors of level crit , higher in special file. uucp,news.crit                                          /var/log/spooler  # save boot messages boot.log local7.*                                                /var/log/boot.log  # ### begin forwarding rule ### # statement between begin ... end define single forwarding # rule. belong together, not split them. if create multiple # forwarding rules, duplicate whole block! # remote logging (we use tcp reliable delivery) # # on-disk queue created action. if remote host # down, messages spooled disk , sent when again. #$actionqueuefilename fwdrule1 # unique name prefix spool files #$actionqueuemaxdiskspace 1g   # 1gb space limit (use as possible) #$actionqueuesaveonshutdown on # save messages disk on shutdown #$actionqueuetype linkedlist   # run asynchronously #$actionresumeretrycount -1    # infinite retries if host down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of forwarding rule ### # # $template swift, "/var/log/swift/swift.log" local7.*                                -?swift  $template sshd, "/var/log/sshd/sshd.log" local7.*                                -?sshd

as read messages files via imfile, assign tags (swift-log , sshd respectively). can use tags on receiving server filtering. like:

if $syslogtag == "sshd" {   action(type="omfile" file="/var/log/secure" } else if $syslogtag == "swift-log" {   action(type="omfile" file="/var/log/swift }

alternatively, can change imfile configuration assign different facilities tailed files (say local6 , local7). use bsd-style config filtering like:

local6.* /var/log/secure # assuming local6 assigned sshd logs local7.* /var/log/swift  # , local7 swift logs

you can find list of properties can use here: http://www.rsyslog.com/doc/master/configuration/properties.html

and information using conditionals , other tricks here: http://www.rsyslog.com/doc/master/rainerscript/index.html

though things may need upgrade recent version of rsyslog (e.g. 8.13 latest many distros still come 5.x). can find packages popular distros here: http://www.rsyslog.com/downloads/download-other/


Comments

Post a Comment

Popular posts from this blog

java - Date formats difference between yyyy-MM-dd'T'HH:mm:ss and yyyy-MM-dd'T'HH:mm:ssXXX -

-
i trying parse date 2014-12-03t10:05:59.5646+08:00 using these 2 formats: yyyy-mm-dd't'hh:mm:ss yyyy-mm-dd't'hh:mm:ssxxx when parse using yyyy-mm-dd't'hh:mm:ss works fine, when parse yyyy-mm-dd't'hh:mm:ssxxx parseexception thrown. which correct format parse date , difference between these 2 formats? note : cannot use joda :( those valid formats: yyyy-mm-dd't'hh:mm:ss.sssz >>> e.g.: 2001-07-04t12:08:56.235-0700 yyyy-mm-dd't'hh:mm:ss.sssxxx >>> e.g.: 2001-07-04t12:08:56.235-07:00 edit: btw, "x" refer (iso 8601 time zone)
Read more

c# - Get rid of xmlns attribute when adding node to existing xml -

-
i have xml-file: <ns2:root xmlns:ns2="namespace"> <ns2:a> <ns2:b>some content</b> <ns2:c>some content</c> <ns2:d>some content</d> </a> </root> i need add new node in specific place, code is: var doc = xdocument.load(file); xnamespace ns2 = "namespace"; doc.element(ns2 + "root").element(ns2 + "a").element(ns2 + "c").addafterself( new xelement(ns2+"new", new xelement("new1", new xelement("new2","some content"), new xelement("new3", "some content")))); the output is: <ns2:root xmlns:ns2="namespace"> <ns2:a> <ns2:b>some content</b> <ns2:c>some content</c> <ns2:new> <new1 xmlns=""> <new2>some content</new2> ...
Read more