Mailing List Archive

yes, you cn create a ruleset for an input and then have it contain a rule for a
specific host, or you can call a ruleset after an if statement

I don't understand fully what you are trying to do that makes this hard.

do you have an example of a config that you think should work that doesn't?

David Lang

On Tue, 16 Mar 2021, Scott Slattery via rsyslog wrote:

> Date: Tue, 16 Mar 2021 13:48:20 -0700
> From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Scott Slattery <scott.slattery@motorolasolutions.com>
> Subject: [rsyslog] Ruleset on IMTCP (or IMPTCP)
>
> Is it possible to selectively apply a dynamic file template to input from
> IMTCP based on a specific host like the following?
>
> ##### Rule ####
> if $fromhost-ip == '10.40.83.207' then {
> action(type="omfile" dynafile="RemoteServer1")
> stop
> }
>
> input(type="imptcp" port="10514" ruleset="RemoteServer")
>
> ##### End Rule ####
>
> My log files are on a central log collector (where this rule is applied)
> but it doesn't seem to be working. No error in when I validate syntax but
> no logfiles as expected.
>
> Since my central log collector is behind a firewall, I can't easily (nor
> quickly) add an additional bind port with another input so I'm trying to
> prototype the above logic using a rule.
>
> I also don't want to apply the rule to every incoming TCP logfile until I
> have performed this validation.
>
> Any guidance is much appreciated.
>
> *Scott Slattery*
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thanks David, here's what I have but doesn't seem to be working. Part of
the problem, as I mentioned, is I can't make a major change that would
impact all the logs coming from the various sources. This is a central
collector. So, what I'm trying to do is to selectively handle input logs
from a single source. In this case it's server 10.40.83.207.

The overall objective is to change the logfile name format for a specific
source using this template. :

template(name="RemoteServer1" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")

If an input comes in on IMTCP from this source, I want to apply the
template above, otherwise, I want to apply this template:
template(name="RemoteServer" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")

The latter template is currently the template bound to my imtcp module but
I can't make a modification to it because it is used for all inbound tcp
logs. I have a specific log naming format I need to apply to a single
source for now as a test. Subject to the test working, it will be applied
to all logs but to just drop it in and impact all logs isn't acceptable. I
also can't just add a secondary listener due to firewall rules that would
take too long to get updated just for a test.


Here's the relevant configuration as it is. It validates fine (rsyslogd -N
1) but I am not seeing the new logfile name format from the rule. The old
format is still being applied even to the target IP logs.

#### RULES ####

template(name="RemoteServer" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
template(name="RemoteServer1" type="string"
string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")

ruleset(name="DynRemoteServer"){
action(type="omfile" dynaFile="RemoteServer")
}

# module imptcp
module(load="imptcp" threads="8" ProcessOnPoller="off")

# to test new log file name rules
if $fromhost-ip == '10.40.83.207' then {
action(type="omfile" dynafile="RemoteServer1")
stop
}

input(type="imptcp" port="10514" ruleset="DynRemoteServer")

#kern.* /dev/console
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
~

I hope this helps better understand my objective and thanks for your help.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: Scott.Slattery@MotorolaSolutions.com




On Tue, Mar 16, 2021 at 2:31 PM David Lang <david@lang.hm> wrote:

> yes, you cn create a ruleset for an input and then have it contain a rule
> for a
> specific host, or you can call a ruleset after an if statement
>
> I don't understand fully what you are trying to do that makes this hard.
>
> do you have an example of a config that you think should work that doesn't?
>
> David Lang
>
> On Tue, 16 Mar 2021, Scott Slattery via rsyslog wrote:
>
> > Date: Tue, 16 Mar 2021 13:48:20 -0700
> > From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Scott Slattery <scott.slattery@motorolasolutions.com>
> > Subject: [rsyslog] Ruleset on IMTCP (or IMPTCP)
> >
> > Is it possible to selectively apply a dynamic file template to input from
> > IMTCP based on a specific host like the following?
> >
> > ##### Rule ####
> > if $fromhost-ip == '10.40.83.207' then {
> > action(type="omfile" dynafile="RemoteServer1")
> > stop
> > }
> >
> > input(type="imptcp" port="10514" ruleset="RemoteServer")
> >
> > ##### End Rule ####
> >
> > My log files are on a central log collector (where this rule is applied)
> > but it doesn't seem to be working. No error in when I validate syntax but
> > no logfiles as expected.
> >
> > Since my central log collector is behind a firewall, I can't easily (nor
> > quickly) add an additional bind port with another input so I'm trying to
> > prototype the above logic using a rule.
> >
> > I also don't want to apply the rule to every incoming TCP logfile until I
> > have performed this validation.
> >
> > Any guidance is much appreciated.
> >
> > *Scott Slattery*
> >
> >
>

--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

so you have it configured that anything that arrives over port 10514 is
processed by the ruleset "DynRemoteServer"

which consists of the configuration:

action(type="omfile" dynaFile="RemoteServer")

after which it is done processing logs. So if you want to have any if statements
about the source, you need to do it inside that ruleset.

any other rules in the config are not evaluated for the logs that arrive via
this input.

David Lang


On Tue, 16 Mar 2021, Scott Slattery wrote:

> Date: Tue, 16 Mar 2021 14:43:58 -0700
> From: Scott Slattery <scott.slattery@motorolasolutions.com>
> To: David Lang <david@lang.hm>
> Cc: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Ruleset on IMTCP (or IMPTCP)
>
> Thanks David, here's what I have but doesn't seem to be working. Part of
> the problem, as I mentioned, is I can't make a major change that would
> impact all the logs coming from the various sources. This is a central
> collector. So, what I'm trying to do is to selectively handle input logs
> from a single source. In this case it's server 10.40.83.207.
>
> The overall objective is to change the logfile name format for a specific
> source using this template. :
>
> template(name="RemoteServer1" type="string"
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
>
> If an input comes in on IMTCP from this source, I want to apply the
> template above, otherwise, I want to apply this template:
> template(name="RemoteServer" type="string"
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
>
> The latter template is currently the template bound to my imtcp module but
> I can't make a modification to it because it is used for all inbound tcp
> logs. I have a specific log naming format I need to apply to a single
> source for now as a test. Subject to the test working, it will be applied
> to all logs but to just drop it in and impact all logs isn't acceptable. I
> also can't just add a secondary listener due to firewall rules that would
> take too long to get updated just for a test.
>
>
> Here's the relevant configuration as it is. It validates fine (rsyslogd -N
> 1) but I am not seeing the new logfile name format from the rule. The old
> format is still being applied even to the target IP logs.
>
> #### RULES ####
>
> template(name="RemoteServer" type="string"
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
> template(name="RemoteServer1" type="string"
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
>
> ruleset(name="DynRemoteServer"){
> action(type="omfile" dynaFile="RemoteServer")
> }
>
> # module imptcp
> module(load="imptcp" threads="8" ProcessOnPoller="off")
>
> # to test new log file name rules
> if $fromhost-ip == '10.40.83.207' then {
> action(type="omfile" dynafile="RemoteServer1")
> stop
> }
>
> input(type="imptcp" port="10514" ruleset="DynRemoteServer")
>
> #kern.* /dev/console
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
> authpriv.* /var/log/secure
> mail.* /var/log/maillog
> cron.* /var/log/cron
> *.emerg :omusrmsg:*
> uucp,news.crit /var/log/spooler
> local7.* /var/log/boot.log
> ~
>
> I hope this helps better understand my objective and thanks for your help.
>
> *Scott Slattery*
>
> *Sr. Systems & Cloud Architect*
>
> *Cloud, Compute, Information & Architecture Team*
>
> motorolasolutions.com
>
> *O: 602.529.8226*
>
> *E*: Scott.Slattery@MotorolaSolutions.com
>
>
>
>
> On Tue, Mar 16, 2021 at 2:31 PM David Lang <david@lang.hm> wrote:
>
>> yes, you cn create a ruleset for an input and then have it contain a rule
>> for a
>> specific host, or you can call a ruleset after an if statement
>>
>> I don't understand fully what you are trying to do that makes this hard.
>>
>> do you have an example of a config that you think should work that doesn't?
>>
>> David Lang
>>
>> On Tue, 16 Mar 2021, Scott Slattery via rsyslog wrote:
>>
>>> Date: Tue, 16 Mar 2021 13:48:20 -0700
>>> From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>>> Cc: Scott Slattery <scott.slattery@motorolasolutions.com>
>>> Subject: [rsyslog] Ruleset on IMTCP (or IMPTCP)
>>>
>>> Is it possible to selectively apply a dynamic file template to input from
>>> IMTCP based on a specific host like the following?
>>>
>>> ##### Rule ####
>>> if $fromhost-ip == '10.40.83.207' then {
>>> action(type="omfile" dynafile="RemoteServer1")
>>> stop
>>> }
>>>
>>> input(type="imptcp" port="10514" ruleset="RemoteServer")
>>>
>>> ##### End Rule ####
>>>
>>> My log files are on a central log collector (where this rule is applied)
>>> but it doesn't seem to be working. No error in when I validate syntax but
>>> no logfiles as expected.
>>>
>>> Since my central log collector is behind a firewall, I can't easily (nor
>>> quickly) add an additional bind port with another input so I'm trying to
>>> prototype the above logic using a rule.
>>>
>>> I also don't want to apply the rule to every incoming TCP logfile until I
>>> have performed this validation.
>>>
>>> Any guidance is much appreciated.
>>>
>>> *Scott Slattery*
>>>
>>>
>>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thank you so much David. I'll give your suggestion a try. Looks like I was
on the right path but failed to realize it must be in the ruleset block.


*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: Scott.Slattery@MotorolaSolutions.com




On Tue, Mar 16, 2021 at 2:55 PM David Lang <david@lang.hm> wrote:

> so you have it configured that anything that arrives over port 10514 is
> processed by the ruleset "DynRemoteServer"
>
> which consists of the configuration:
>
> action(type="omfile" dynaFile="RemoteServer")
>
> after which it is done processing logs. So if you want to have any if
> statements
> about the source, you need to do it inside that ruleset.
>
> any other rules in the config are not evaluated for the logs that arrive
> via
> this input.
>
> David Lang
>
>
> On Tue, 16 Mar 2021, Scott Slattery wrote:
>
> > Date: Tue, 16 Mar 2021 14:43:58 -0700
> > From: Scott Slattery <scott.slattery@motorolasolutions.com>
> > To: David Lang <david@lang.hm>
> > Cc: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] Ruleset on IMTCP (or IMPTCP)
> >
> > Thanks David, here's what I have but doesn't seem to be working. Part of
> > the problem, as I mentioned, is I can't make a major change that would
> > impact all the logs coming from the various sources. This is a central
> > collector. So, what I'm trying to do is to selectively handle input logs
> > from a single source. In this case it's server 10.40.83.207.
> >
> > The overall objective is to change the logfile name format for a specific
> > source using this template. :
> >
> > template(name="RemoteServer1" type="string"
> >
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
> >
> > If an input comes in on IMTCP from this source, I want to apply the
> > template above, otherwise, I want to apply this template:
> > template(name="RemoteServer" type="string"
> > string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
> >
> > The latter template is currently the template bound to my imtcp module
> but
> > I can't make a modification to it because it is used for all inbound tcp
> > logs. I have a specific log naming format I need to apply to a single
> > source for now as a test. Subject to the test working, it will be applied
> > to all logs but to just drop it in and impact all logs isn't acceptable.
> I
> > also can't just add a secondary listener due to firewall rules that would
> > take too long to get updated just for a test.
> >
> >
> > Here's the relevant configuration as it is. It validates fine (rsyslogd
> -N
> > 1) but I am not seeing the new logfile name format from the rule. The old
> > format is still being applied even to the target IP logs.
> >
> > #### RULES ####
> >
> > template(name="RemoteServer" type="string"
> > string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
> > template(name="RemoteServer1" type="string"
> >
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
> >
> > ruleset(name="DynRemoteServer"){
> > action(type="omfile" dynaFile="RemoteServer")
> > }
> >
> > # module imptcp
> > module(load="imptcp" threads="8" ProcessOnPoller="off")
> >
> > # to test new log file name rules
> > if $fromhost-ip == '10.40.83.207' then {
> > action(type="omfile" dynafile="RemoteServer1")
> > stop
> > }
> >
> > input(type="imptcp" port="10514" ruleset="DynRemoteServer")
> >
> > #kern.* /dev/console
> > *.info;mail.none;authpriv.none;cron.none /var/log/messages
> > authpriv.* /var/log/secure
> > mail.* /var/log/maillog
> > cron.* /var/log/cron
> > *.emerg :omusrmsg:*
> > uucp,news.crit /var/log/spooler
> > local7.* /var/log/boot.log
> > ~
> >
> > I hope this helps better understand my objective and thanks for your
> help.
> >
> > *Scott Slattery*
> >
> > *Sr. Systems & Cloud Architect*
> >
> > *Cloud, Compute, Information & Architecture Team*
> >
> > motorolasolutions.com
> >
> > *O: 602.529.8226*
> >
> > *E*: Scott.Slattery@MotorolaSolutions.com
> >
> >
> >
> >
> > On Tue, Mar 16, 2021 at 2:31 PM David Lang <david@lang.hm> wrote:
> >
> >> yes, you cn create a ruleset for an input and then have it contain a
> rule
> >> for a
> >> specific host, or you can call a ruleset after an if statement
> >>
> >> I don't understand fully what you are trying to do that makes this hard.
> >>
> >> do you have an example of a config that you think should work that
> doesn't?
> >>
> >> David Lang
> >>
> >> On Tue, 16 Mar 2021, Scott Slattery via rsyslog wrote:
> >>
> >>> Date: Tue, 16 Mar 2021 13:48:20 -0700
> >>> From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog-users <rsyslog@lists.adiscon.com>
> >>> Cc: Scott Slattery <scott.slattery@motorolasolutions.com>
> >>> Subject: [rsyslog] Ruleset on IMTCP (or IMPTCP)
> >>>
> >>> Is it possible to selectively apply a dynamic file template to input
> from
> >>> IMTCP based on a specific host like the following?
> >>>
> >>> ##### Rule ####
> >>> if $fromhost-ip == '10.40.83.207' then {
> >>> action(type="omfile" dynafile="RemoteServer1")
> >>> stop
> >>> }
> >>>
> >>> input(type="imptcp" port="10514" ruleset="RemoteServer")
> >>>
> >>> ##### End Rule ####
> >>>
> >>> My log files are on a central log collector (where this rule is
> applied)
> >>> but it doesn't seem to be working. No error in when I validate syntax
> but
> >>> no logfiles as expected.
> >>>
> >>> Since my central log collector is behind a firewall, I can't easily
> (nor
> >>> quickly) add an additional bind port with another input so I'm trying
> to
> >>> prototype the above logic using a rule.
> >>>
> >>> I also don't want to apply the rule to every incoming TCP logfile
> until I
> >>> have performed this validation.
> >>>
> >>> Any guidance is much appreciated.
> >>>
> >>> *Scott Slattery*
> >>>
> >>>
> >>
> >
> >
>

--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

I just made the update and works fine... you're a genius. Thanks again.

*Scott Slattery*

*Sr. Systems & Cloud Architect*

*Cloud, Compute, Information & Architecture Team*

motorolasolutions.com

*O: 602.529.8226*

*E*: Scott.Slattery@MotorolaSolutions.com




On Tue, Mar 16, 2021 at 2:55 PM David Lang <david@lang.hm> wrote:

> so you have it configured that anything that arrives over port 10514 is
> processed by the ruleset "DynRemoteServer"
>
> which consists of the configuration:
>
> action(type="omfile" dynaFile="RemoteServer")
>
> after which it is done processing logs. So if you want to have any if
> statements
> about the source, you need to do it inside that ruleset.
>
> any other rules in the config are not evaluated for the logs that arrive
> via
> this input.
>
> David Lang
>
>
> On Tue, 16 Mar 2021, Scott Slattery wrote:
>
> > Date: Tue, 16 Mar 2021 14:43:58 -0700
> > From: Scott Slattery <scott.slattery@motorolasolutions.com>
> > To: David Lang <david@lang.hm>
> > Cc: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] Ruleset on IMTCP (or IMPTCP)
> >
> > Thanks David, here's what I have but doesn't seem to be working. Part of
> > the problem, as I mentioned, is I can't make a major change that would
> > impact all the logs coming from the various sources. This is a central
> > collector. So, what I'm trying to do is to selectively handle input logs
> > from a single source. In this case it's server 10.40.83.207.
> >
> > The overall objective is to change the logfile name format for a specific
> > source using this template. :
> >
> > template(name="RemoteServer1" type="string"
> >
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
> >
> > If an input comes in on IMTCP from this source, I want to apply the
> > template above, otherwise, I want to apply this template:
> > template(name="RemoteServer" type="string"
> > string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
> >
> > The latter template is currently the template bound to my imtcp module
> but
> > I can't make a modification to it because it is used for all inbound tcp
> > logs. I have a specific log naming format I need to apply to a single
> > source for now as a test. Subject to the test working, it will be applied
> > to all logs but to just drop it in and impact all logs isn't acceptable.
> I
> > also can't just add a secondary listener due to firewall rules that would
> > take too long to get updated just for a test.
> >
> >
> > Here's the relevant configuration as it is. It validates fine (rsyslogd
> -N
> > 1) but I am not seeing the new logfile name format from the rule. The old
> > format is still being applied even to the target IP logs.
> >
> > #### RULES ####
> >
> > template(name="RemoteServer" type="string"
> > string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%PROGRAMNAME%.log")
> > template(name="RemoteServer1" type="string"
> >
> string="/splunklog/remote/%FROMHOST%-%FROMHOST-IP%/%$year%-%$month%-%$day%-%PROGRAMNAME%.log")
> >
> > ruleset(name="DynRemoteServer"){
> > action(type="omfile" dynaFile="RemoteServer")
> > }
> >
> > # module imptcp
> > module(load="imptcp" threads="8" ProcessOnPoller="off")
> >
> > # to test new log file name rules
> > if $fromhost-ip == '10.40.83.207' then {
> > action(type="omfile" dynafile="RemoteServer1")
> > stop
> > }
> >
> > input(type="imptcp" port="10514" ruleset="DynRemoteServer")
> >
> > #kern.* /dev/console
> > *.info;mail.none;authpriv.none;cron.none /var/log/messages
> > authpriv.* /var/log/secure
> > mail.* /var/log/maillog
> > cron.* /var/log/cron
> > *.emerg :omusrmsg:*
> > uucp,news.crit /var/log/spooler
> > local7.* /var/log/boot.log
> > ~
> >
> > I hope this helps better understand my objective and thanks for your
> help.
> >
> > *Scott Slattery*
> >
> > *Sr. Systems & Cloud Architect*
> >
> > *Cloud, Compute, Information & Architecture Team*
> >
> > motorolasolutions.com
> >
> > *O: 602.529.8226*
> >
> > *E*: Scott.Slattery@MotorolaSolutions.com
> >
> >
> >
> >
> > On Tue, Mar 16, 2021 at 2:31 PM David Lang <david@lang.hm> wrote:
> >
> >> yes, you cn create a ruleset for an input and then have it contain a
> rule
> >> for a
> >> specific host, or you can call a ruleset after an if statement
> >>
> >> I don't understand fully what you are trying to do that makes this hard.
> >>
> >> do you have an example of a config that you think should work that
> doesn't?
> >>
> >> David Lang
> >>
> >> On Tue, 16 Mar 2021, Scott Slattery via rsyslog wrote:
> >>
> >>> Date: Tue, 16 Mar 2021 13:48:20 -0700
> >>> From: Scott Slattery via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog-users <rsyslog@lists.adiscon.com>
> >>> Cc: Scott Slattery <scott.slattery@motorolasolutions.com>
> >>> Subject: [rsyslog] Ruleset on IMTCP (or IMPTCP)
> >>>
> >>> Is it possible to selectively apply a dynamic file template to input
> from
> >>> IMTCP based on a specific host like the following?
> >>>
> >>> ##### Rule ####
> >>> if $fromhost-ip == '10.40.83.207' then {
> >>> action(type="omfile" dynafile="RemoteServer1")
> >>> stop
> >>> }
> >>>
> >>> input(type="imptcp" port="10514" ruleset="RemoteServer")
> >>>
> >>> ##### End Rule ####
> >>>
> >>> My log files are on a central log collector (where this rule is
> applied)
> >>> but it doesn't seem to be working. No error in when I validate syntax
> but
> >>> no logfiles as expected.
> >>>
> >>> Since my central log collector is behind a firewall, I can't easily
> (nor
> >>> quickly) add an additional bind port with another input so I'm trying
> to
> >>> prototype the above logic using a rule.
> >>>
> >>> I also don't want to apply the rule to every incoming TCP logfile
> until I
> >>> have performed this validation.
> >>>
> >>> Any guidance is much appreciated.
> >>>
> >>> *Scott Slattery*
> >>>
> >>>
> >>
> >
> >
>

--


*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.