I'm trying to set up a central loghost (UDP and TCP) using the version
included in RHEL. I've have come up with several partially working
configs but none work exactly as I need.
As of RHEL 5.2 rsyslog is now included, which is great news. Here's the
version:
$ rpm -q rsyslog
rsyslog-2.0.0-11.el5
$ /sbin/rsyslogd -v
rsyslogd 2.0.0, compiled with:
FEATURE_PTHREADS (dual-threading): Yes
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
SYSLOG_INET (Internet/remote support): Yes
FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No
FEATURE_DEBUG (debug build, slow code): No
See http://www.rsyslog.com for more information.
In a nutshell, here's what I need my config to have:
1.) TCP and UDP logging
2.) Local messages from the loghost itself go to /var/log/...
3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/...
4.) Additionally, I have several logs that are matched on the message
content and go into separate log files.
5.) All messages go into a named pipe (which a 3rd party security tool
reads from and analyzes the data)
From the above, numbers 2, 3 and 4 are the one's I'm having trouble
with. Individually I can make each work but getting them all working in
harmony has been a bit of a battle... I want to avoid duplicate logging
so that the local loghost logs are in /var and remote logs in /syslog.
Additionally, the messages that are matched on their content I want to
ONLY show up in the files designated for them. However, the named pipe
should get everything.
If anyone has a similar config for this version of rsyslog that they
could share I'd appreciate it immensely.
Thanks,
Sam
included in RHEL. I've have come up with several partially working
configs but none work exactly as I need.
As of RHEL 5.2 rsyslog is now included, which is great news. Here's the
version:
$ rpm -q rsyslog
rsyslog-2.0.0-11.el5
$ /sbin/rsyslogd -v
rsyslogd 2.0.0, compiled with:
FEATURE_PTHREADS (dual-threading): Yes
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
SYSLOG_INET (Internet/remote support): Yes
FEATURE_GSSAPI (GSSAPI Kerberos 5 support): No
FEATURE_DEBUG (debug build, slow code): No
See http://www.rsyslog.com for more information.
In a nutshell, here's what I need my config to have:
1.) TCP and UDP logging
2.) Local messages from the loghost itself go to /var/log/...
3.) Remote messages go to /syslog/YYYY/MM/DD/HOSTNAME/...
4.) Additionally, I have several logs that are matched on the message
content and go into separate log files.
5.) All messages go into a named pipe (which a 3rd party security tool
reads from and analyzes the data)
From the above, numbers 2, 3 and 4 are the one's I'm having trouble
with. Individually I can make each work but getting them all working in
harmony has been a bit of a battle... I want to avoid duplicate logging
so that the local loghost logs are in /var and remote logs in /syslog.
Additionally, the messages that are matched on their content I want to
ONLY show up in the files designated for them. However, the named pipe
should get everything.
If anyone has a similar config for this version of rsyslog that they
could share I'd appreciate it immensely.
Thanks,
Sam