This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Multiple rulesets for one input

Thu Jul 06, 2017 6:38 am

Hi all,

I am trying to configure Rsyslog with one listening port (UDP 514) for different types of devices. Some devices are Cisco routers and others are not. I know that Cisco devices are using different syslog message format. Therefore, I made a ruleset like below:

parser(name="custom.ciscoios.withOrigin" type="pmciscoios" present.origin="on")
ruleset(name="ios" parser="custom.ciscoios.withOrigin") {
    action(type="omfile" file="/var/log/ciscoios")

input(type="imudp" port="514" ruleset="ios")

I believe the code above means that whatever Rsyslog receives via UDP 514, ios ruleset will be applied. If that is true, other non-cisco devices' syslog messages will also go through the ios ruleset and as a result the messages will be written into /var/log/ciscoios file. I want to avoid this. Is there any way to achieve this? Or is it not possible with only one listening port? Thank you.
