...
| Code Block |
|---|
local0.* /usr/local/nmis8/logs/local0.log local1.* /usr/local/nmis8/logs/local1.log local2.* /usr/local/nmis8/logs/local2.log local3.* /usr/local/nmis8/logs/local3.log local4.* /usr/local/nmis8/logs/local4.log local5.* /usr/local/nmis8/logs/local5.log local6.* /usr/local/nmis8/logs/local6.log local7.* /usr/local/nmis8/logs/local7.log |
Configure syslog reception for remote Linux hosts
Based on the table above the following would be the configuration
| Code Block |
|---|
$template LinuxLogs,"%timegenerated%.%timegenerated:::date-subseconds% %HOSTNAME% %syslogtag%%msg%\n"
if $fromhost-ip != '127.0.0.1' \
and $syslogseverity <= '6' \
and $syslogfacility <= '15' \
then /usr/local/nmis8/logs/linux.log;LinuxLogs |
Handling Different Times and Time Zones
...
| Code Block |
|---|
# enable the imfile module for file monitoring $ModLoad imfile $WorkDirectory /var/spool/rsyslog # Monitor the file $InputFileName /var/log/messages $InputFileTag : $InputFileStateFile messages_log $InputFileSeverity error $InputFileFacility local6 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # forward these logs to another server local6.* @192.168.1.7:514 |
Remote Linux Server
The following rsyslog config will send all syslogs which are sourced localy with a severity 0-6 to the remote server.
| Code Block |
|---|
$template LinuxMnemonic,"%timereported% %HOSTNAME% %syslogfacility-text%-%syslogseverity%-%syslogtag%%msg%\n"
if $fromhost-ip == '127.0.0.1' and $syslogseverity <= '6' then @192.168.1.7;LinuxMnemonic |
Here we are using a Linux Mnemonic like the Cisco Syslog so that we do not lose the original facility and severity when the message is fowarded.
Example Topology
In the example above all syslog messages received with a facility of local7 will be forwarded to the master server at 10.215.1.5. When this message is forwarded from the poller to the master, the poller will insert its own timestamp into the message.
...