Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
Separating Log files based on partial IP match
Jefferson.Cowart at libraries
Mar 19, 2009, 3:18 PM
Post #1 of 3 (3074 views)
Permalink
I'm new to rsyslog, and I'm trying to set it up to centralize logging
for a number of devices on my network. I'd like for it to log anything
from my network switch to a single log file, my printers to another log
file, etc. I'm able to separate the devices based on their IP address
(e.g. my switches are in one IP subnet and my printers in another.) I
see how to do per device logging on
http://www.rsyslog.com/Article60.phtml, but I don't see a way to adjust
that to do it based on IP subnet or anything like that. Unfortunately it
looks like both FROMHOST and HOSTNAME are names not IPs, so it's not
even clear if I could filter on that. Any help would be appreciated.
Thanks.

--
Thank You
Jefferson Cowart
Network and Systems Administrator
Claremont University Consortium
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
Re: Separating Log files based on partial IP match [ In reply to ]
david at lang
Mar 19, 2009, 4:44 PM
Post #2 of 3 (3002 views)
Permalink
On Thu, 19 Mar 2009, Jefferson Cowart wrote:

> I'm new to rsyslog, and I'm trying to set it up to centralize logging
> for a number of devices on my network. I'd like for it to log anything
> from my network switch to a single log file, my printers to another log
> file, etc. I'm able to separate the devices based on their IP address
> (e.g. my switches are in one IP subnet and my printers in another.) I
> see how to do per device logging on
> http://www.rsyslog.com/Article60.phtml, but I don't see a way to adjust
> that to do it based on IP subnet or anything like that. Unfortunately it
> looks like both FROMHOST and HOSTNAME are names not IPs, so it's not
> even clear if I could filter on that. Any help would be appreciated.
> Thanks.

there is fromhost-ip that will give you the last-hop IP address

I don't see an easy way to do it based on subnets, but take a look at the
rscript stuff that just went into the development branch in the last week
or so. that may give you the hooks needed to do the subnet calculation
that will let you do what you want.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
Re: Separating Log files based on partial IP match [ In reply to ]
rgerhards at hq
Mar 19, 2009, 11:23 PM
Post #3 of 3 (3013 views)
Permalink
> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of david@lang.hm
> Sent: Friday, March 20, 2009 12:45 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Separating Log files based on partial IP match
>
> On Thu, 19 Mar 2009, Jefferson Cowart wrote:
>
> > I'm new to rsyslog, and I'm trying to set it up to centralize logging
> > for a number of devices on my network. I'd like for it to log
> anything
> > from my network switch to a single log file, my printers to another
> log
> > file, etc. I'm able to separate the devices based on their IP address
> > (e.g. my switches are in one IP subnet and my printers in another.) I
> > see how to do per device logging on
> > http://www.rsyslog.com/Article60.phtml, but I don't see a way to
> adjust
> > that to do it based on IP subnet or anything like that. Unfortunately
> it
> > looks like both FROMHOST and HOSTNAME are names not IPs, so it's not
> > even clear if I could filter on that. Any help would be appreciated.
> > Thanks.
>
> there is fromhost-ip that will give you the last-hop IP address
>
> I don't see an easy way to do it based on subnets, but take a look at
> the
> rscript stuff that just went into the development branch in the last
> week
> or so. that may give you the hooks needed to do the subnet calculation
> that will let you do what you want.

The only function currently supported is strlen(), but this is a very
interesting use case to extend function support. I think I will add a couple
of functions even without a full loadable interface, just to get some basic
things done. If everything turns out to go smooth, I can hopefully do this
next week.

In the mean time, I would see if a property-based (regex) filter can do the
job. For a classical class A,B,C net that should be easy to do.

Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal