RHEL 5.9 with rsyslog 3.22
Splunk 5.0.2
Universal Forwarder installed, with the intention of monitoring logs processed by rsyslog.
I have little to no knowledge of rsyslog. I have searched splunk-base extensively for example configurations.
We have 5-6 data sources coming in on two different UDP ports.
514 contains 4-5 of these data sources (Cisco FWSM, DNS, routers, swithes, etc)
516 contains palo alto.
The log sources go to an log repeater, which we can forward on any port to the rsyslog/UF. So, going with high ports.
10514
10515
10516, etc
Need a rsyslog.conf example with filters to break out the 514 data sources into directories by hostname. Will use log rotate to clean up after ingest by UF. Have 500GB coming in daily, so we can only keep 12 hours or so on the rsyslog server for "buffer".
We are running into issues with the older style selector/rule contexts. Everyone seems to have switched to the new context in the rsyslog.conf file, which I am not entirely sure is supported in rsyslog v3.22.
I also notice everytime I start rsyslog it runs the -c 5 option in for backwards compatibility. It yells at me to use -c3 to eliminate backwards compatibility due to that causing other issues. I wonder if that is part of the problem. I have manually run it with -c3 and it cleans up the errors in the logs, but no joy on filtering and breaking out the configs to the degree I am looking for.
The config below does work, but I don't have "matching" sample data to test with logger or nc. However,what I do test with (from Mac or RHEL /var/log files) using nc and logger does break it out by host, but it also copies it to /var/log/messages even when connecting with "nc -u 192.168.56.50 10514".
Appreciate any help or pointers to other answers. Looking for an actual real world "working" rsyslog.conf and matching UF inputs.conf. I seem to learn by example 🙂
syslog-ng is not an option, as it is not approved software.
Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock
--------------------------------------------------------------------------------
Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 10514
$UDPServerRun 10515
$UDPServerRun 10516
$UDPServerRun 10517
$UDPServerRun 10518
--------------------------------------------------------------------------------
GLOBAL DIRECTIVES
$umask 0000
$DirCreateMode 0775
$FileCreateMode 0640
$FileOwner root
$FileGroup root
$DirOwner root
$DirGroup root
--------------------------------------------------------------------------------
Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
--------------------------------------------------------------------------------
Log all kernel messages to the console.
Logging much else clutters up the screen.
kern.* /dev/console
Log anything (except mail) of level info or higher.
Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
The authpriv file has restricted access.
authpriv.* /var/log/secure
Log all the mail messages in one place.
mail.* -/var/log/maillog
Log cron stuff
cron.* /var/log/cron
Everybody gets emergency messages
*.emerg *
Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
Save boot messages also to boot.log
local7.* /var/log/boot.log
$template DailyPerHostLogs,"/opt/netlogs/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%%$HOUR%.log"
. -?DailyPerHostLogs
... View more