- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure rsyslog so that it stores them in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure rsyslog so that it stores them in certain directories?
I would like to configure rsyslog so that it keeps logs generated by the localhost in the /var/log/messages but then store any logs that come in via TCP 514 in one of the 4 directories:
$template http,"/var/log/splunk-syslog/UTM/%HOSTNAME%/http_logs/%HOSTNAME%-%$day%.log"
$template packetfilter,"/var/log/splunk-syslog/UTM/%HOSTNAME%/packetfilter_logs/%HOSTNAME%-%$day%.log"
$template ips,"/var/log/splunk-syslog/UTM/%HOSTNAME%/ips_logs/%HOSTNAME%-%$day%.log"
:msg, contains, "http" ?http
:msg, contains, "packetfilter" ?packetfilter
:msg, contains, "ips" ?ips
So as you can see messages that contain "http" to go into the /http_logs/... folder.
Now this code has 2 issues:
1. it picks up local host messages as well and that have "http" in them and saves them in these directories, which I don't want to happen. I want these templates to only apply to traffic comming from TCP 514
2. I also want to have a 4th folder where if the TCP 514 traffic doesn't have "http" or "packetfilter" or "ips" then it can go into that folder. At the moment those messages are ending up under /var/log/messages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Easiest way to accomplish that is to bind the UDP 514 input to a ruleset and put the templates and actions for the UDP traffic into that ruleset. That way, that configuration will not apply to the local logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But how would I do that?
This is what I have so far:
The bit below listens to port TCP 514 and binds that traffic to ruleset_1
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514" ruleset="ruleset_1")
Then I have all traffic from ruleset_1 being applied the RemoteHost template which tells it to save files in the directory listed below.
$RuleSet ruleset_1
*.* ?RemoteHost
$template RemoteHost,"/var/log/splunk-syslog/UTM/%HOSTNAME%/%HOSTNAME%-%$DAY%-%$MONTH%-%$YEAR%.log"
- That is comming up with an error message saying that there is something wrong around the line that defines the ruleset_1 allocation to the RemoteHost template.
- I lose the option to filter out logs by messages containing "http" or "packetfilter" which I would like to place in a different directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably need to place the template definition above the action.
And why would you loose the option to filter? Inside the ruleset you can define your actions just like you had them before, including the filters (technically . is also a filter).
So combining your original config with your attempt at introducing a ruleset:
$RuleSet ruleset_1
$template http,"/var/log/splunk-syslog/UTM/%HOSTNAME%/http_logs/%HOSTNAME%-%$day%.log"
$template packetfilter,"/var/log/splunk-syslog/UTM/%HOSTNAME%/packetfilter_logs/%HOSTNAME%-%$day%.log"
$template ips,"/var/log/splunk-syslog/UTM/%HOSTNAME%/ips_logs/%HOSTNAME%-%$day%.log"
:msg, contains, "http" ?http
:msg, contains, "packetfilter" ?packetfilter
:msg, contains, "ips" ?ips
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514" ruleset="ruleset_1")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and how on top of these 3 template do I add a 4th one saying that if the message doesn't contain any of the phrases specified in other templates then just put that in yet a different directory?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just add a *.* ?default-template rule.
And make sure to add a ;& (stop command) after the first 3 rules, otherwise messages that match one of the filters will still also be processed against the next rules.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MedralaG, did this solution work out for you? If so: appreciated if you could mark this answer as accepted, such that it is clear for others that later on find this discussion that this solution works 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry I was away for a couple of weeks.
When I have a chance I will look at it but I think you might be right, this might work.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
