Multiple rulesets operating on the same input file

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


Multiple rulesets operating on the same input file

Postby kjer » Wed Aug 09, 2017 7:40 pm

Here is my current configuration:
Code: Select all
ruleset(name="rsForward" queue.type="Direct") {
  action(name="aFwd" type="omrelp" action.resumeRetryCount="-1" target="10.0.0.55" port="1111" template="ForwardWithHostName")
  stop
}
input(type="imfile" Ruleset="rsForward" file="/var/log/messages" tag="ignored:" Severity="notice" Facility="local0" StateFile="stat-messages" PersistStateInterval="1024")
input(type="imfile" Ruleset="rsForward" file="/var/log/mail" tag="ignored:" Severity="notice" Facility="mail" StateFile="stat-mail" PersistStateInterval="1024")
input(type="imfile" Ruleset="rsForward" file="/var/log/secure" tag="ignored:" Severity="notice" Facility="authpriv" StateFile="stat-secure" PersistStateInterval="1024")


What I would like to change about this is:
- add a second action that uses 'type=omfwd', 'protocol=tcp' and 'target=10.0.0.66'
- this second action will only be sending '/var/log/secure'
- this second action won't be using the same statefile so that if 'target 10.0.0.66' stops responding, 'target 10.0.0.55' will continue to receive logs for all 3 files.

I tried the following(among other things) with no success
Code: Select all
ruleset(name="rsForward" queue.type="Direct") {
  action(name="aFwd" type="omrelp" action.resumeRetryCount="-1" target="10.0.0.55" port="1111" template="ForwardWithHostName")
  stop
}
input(type="imfile" Ruleset="rsForward" file="/var/log/messages" tag="ignored:" Severity="notice" Facility="local0" StateFile="stat-messages" PersistStateInterval="1024")
input(type="imfile" Ruleset="rsForward" file="/var/log/mail" tag="ignored:" Severity="notice" Facility="mail" StateFile="stat-mail" PersistStateInterval="1024")
input(type="imfile" Ruleset="rsForward" file="/var/log/secure" tag="ignored:" Severity="notice" Facility="authpriv" StateFile="stat-secure" PersistStateInterval="1024")

ruleset(name="rsForward2" queue.type="Direct") {
  action(name="bFwd" type="omfwd" action.resumeRetryCount="-1" target="10.0.0.66" port="2222" template="ForwardWithHostName" protocol="tcp")
  stop
}
input(type="imfile" Ruleset="rsForward2" file="/var/log/secure" tag="ignored:" Severity="notice" Facility="authpriv" StateFile="stat-secure2" PersistStateInterval="1024")


Here is the rsyslogd.log output
Code: Select all
aFwd: origin=core.action processed=45 failed=0 suspended=0 suspended.duration=0 resumed=0
bFwd: origin=core.action processed=0 failed=0 suspended=0 suspended.duration=0 resumed=0


Any help would be appreciated as I have been banging my head against this for a while now.

edit: I am using rsyslogd 8.21.0
kjer
New
 
Posts: 2
Joined: Wed Aug 09, 2017 7:05 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Multiple rulesets operating on the same input file

Postby kjer » Wed Aug 09, 2017 9:46 pm

by the way I have tried putting the action in the rsForward ruleset but that doesn't allow for sending just /var/log/secure
kjer
New
 
Posts: 2
Joined: Wed Aug 09, 2017 7:05 pm

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 9 guests

cron