Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Distributions > CentOS
User Name
CentOS This forum is for the discussion of CentOS Linux. Note: This forum does not have any official participation.


  Search this Thread
Old 01-21-2020, 01:49 AM   #1
Registered: Jun 2008
Posts: 109

Rep: Reputation: 0
Forward only critical logs to centralized Rsyslog server


rpm -qa|grep rsyslog

Red Hat OS = 8.0
Rsyslog client = SolarWinds-LogForwarder-FreeTool-v1.2.0

systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor pre>
Active: active (running) since Sat 2020-01-11 10:15:55 PKT; 1 weeks 3 days a>


Rsyslog server is working fine. Windows OS, Cisco switches and HUAWEI firewall are sending the logs to centralized Rsyslog server successfully. I want that all (Windows OS, Cisco switches and HUAWEI firewall) send only critical logs information to centralized Rsyslog server

Last edited by z_haseeb; 01-21-2020 at 01:56 AM.
Old 01-21-2020, 03:27 AM   #2
Senior Member
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 4,142

Rep: Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165Reputation: 1165
To send only critical information to the central logging server, you will have to configure Windows and the Cisco and Huawei devices accordingly. To me, this looks like out of scope for Linuxquestions.

But perhaps it's OK to send all information to the rsyslog server and only keep the critical messages in log files. If so, you can change the rules in the rsyslog config file.

Here are two sample rules:
# Log cron stuff
cron.*                                                  /var/log/cron

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
The string on the left consists of log facility (cron, uucp, news) plus priority (* meaning any priority, crit meaning critical). The string on the right is the log file.

Assuming your Windows, Huawei and Cisco facilities are local1, local2 and local3, respectively, you can do this:
local1.crit                     /var/log/windows.log
local2.crit                     /var/log/huawei.log
local3.crit                     /var/log/cisco.log
I am not sure if it is necessary or makes sense to then redirect local[123].* to /dev/null. Worth a try.

Last edited by berndbausch; 01-21-2020 at 03:28 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Exempting localhost on Centralized rsyslog server Rohit_4739 Linux - Server 2 07-14-2012 11:53 AM
Realtime email notification if critical logs found on Rsyslog trungmv Linux - Software 1 05-23-2012 07:31 AM
LXer: Centralized RSYSLOG Server Monitoring LXer Syndicated Linux News 0 02-18-2012 12:03 AM > Forums > Linux Forums > Linux - Distributions > CentOS

All times are GMT -5. The time now is 02:52 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration