LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS
User Name
Password
CentOS This forum is for the discussion of CentOS Linux. Note: This forum does not have any official participation.

Notices


Reply
  Search this Thread
Old 01-21-2020, 01:49 AM   #1
z_haseeb
Member
 
Registered: Jun 2008
Posts: 109

Rep: Reputation: 0
Forward only critical logs to centralized Rsyslog server


ENVIRONMENT

rpm -qa|grep rsyslog
rsyslog-8.37.0-9.el8.x86_64
rsyslog-mysql-8.37.0-9.el8.x86_64

Red Hat OS = 8.0
Rsyslog client = SolarWinds-LogForwarder-FreeTool-v1.2.0

systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor pre>
Active: active (running) since Sat 2020-01-11 10:15:55 PKT; 1 weeks 3 days a>

QUERY

Rsyslog server is working fine. Windows OS, Cisco switches and HUAWEI firewall are sending the logs to centralized Rsyslog server successfully. I want that all (Windows OS, Cisco switches and HUAWEI firewall) send only critical logs information to centralized Rsyslog server

Last edited by z_haseeb; 01-21-2020 at 01:56 AM.
 
Old 01-21-2020, 03:27 AM   #2
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 4,142

Rep: Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165
To send only critical information to the central logging server, you will have to configure Windows and the Cisco and Huawei devices accordingly. To me, this looks like out of scope for Linuxquestions.

But perhaps it's OK to send all information to the rsyslog server and only keep the critical messages in log files. If so, you can change the rules in the rsyslog config file.

Here are two sample rules:
Code:
# Log cron stuff
cron.*                                                  /var/log/cron

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
The string on the left consists of log facility (cron, uucp, news) plus priority (* meaning any priority, crit meaning critical). The string on the right is the log file.

Assuming your Windows, Huawei and Cisco facilities are local1, local2 and local3, respectively, you can do this:
Code:
local1.crit                     /var/log/windows.log
local2.crit                     /var/log/huawei.log
local3.crit                     /var/log/cisco.log
I am not sure if it is necessary or makes sense to then redirect local[123].* to /dev/null. Worth a try.

Last edited by berndbausch; 01-21-2020 at 03:28 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Exempting localhost on Centralized rsyslog server Rohit_4739 Linux - Server 2 07-14-2012 11:53 AM
Realtime email notification if critical logs found on Rsyslog trungmv Linux - Software 1 05-23-2012 07:31 AM
LXer: Centralized RSYSLOG Server Monitoring LXer Syndicated Linux News 0 02-18-2012 12:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS

All times are GMT -5. The time now is 02:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration