MonitorWare Knowledge Base

Hello,

how i can split logs from external edge device with two (or more) ip source?

i use rsyslog 4.1

/etc/hosts
1.1.1.1 edge1.dom1
2.2.2.2 edge1.dom2
3.3.3.3 edge2.dom2
4.4.4.4 edge2.dom2

/etc/rsyslog.conf
$template EDGE,"/var/log/edge/%HOSTNAME%.log"
if $fromhost contains 'edge' then ?EDGE

on the edge device only one interface active
and messages from single device (edge1) write to different files (edge1.dom1.log or edge1.dom2.log).

it is possible truncate domain in %HOSTNAME% ?

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

I don't know whether this will work, but you may be able to make use of the field extraction functions in the property replacer.

http://www.rsyslog.com/doc-property_replacer.html

Something like this:

$template EDGE,"/var/log/edge/%hostname:R,ERE,1,FIELD:([a-zA-z0-9]*)\.--end%.log"

-HKS

hkspvt wrote:$template EDGE,"/var/log/edge/%hostname:R,ERE,1,FIELD:([a-zA-z0-9]*)\.--end%.log"

thank you very much
it's working

if i using rsyslogd 4.1.2 (devel) - working fine

if runing this config with rsyslogd 4.2.0 (stable) - don't working.
rsyslog 4.2.0 create one file /var/log/edge/2009.log with messages from all devices.

my config:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template EDGE,"/var/log/edge/%hostname:R,ERE,1,FIELD:([a-zA-z0-9]*)\.--end%.log"
if $fromhost contains '.edge.' then ?EDGE