I would like to configure rsyslog so that it keeps logs generated by the localhost in the /var/log/messages but then store any logs that come in via TCP 514 in one of the 4 directories:
$template http,"/var/log/splunk-syslog/UTM/%HOSTNAME%/http_logs/%HOSTNAME%-%$day%.log"
$template packetfilter,"/var/log/splunk-syslog/UTM/%HOSTNAME%/packetfilter_logs/%HOSTNAME%-%$day%.log"
$template ips,"/var/log/splunk-syslog/UTM/%HOSTNAME%/ips_logs/%HOSTNAME%-%$day%.log"
:msg, contains, "http" ?http
:msg, contains, "packetfilter" ?packetfilter
:msg, contains, "ips" ?ips
So as you can see messages that contain "http" to go into the /http_logs/... folder.
Now this code has 2 issues:
1. it picks up local host messages as well and that have "http" in them and saves them in these directories, which I don't want to happen. I want these templates to only apply to traffic comming from TCP 514
2. I also want to have a 4th folder where if the TCP 514 traffic doesn't have "http" or "packetfilter" or "ips" then it can go into that folder. At the moment those messages are ending up under /var/log/messages.
Easiest way to accomplish that is to bind the UDP 514 input to a ruleset and put the templates and actions for the UDP traffic into that ruleset. That way, that configuration will not apply to the local logs.
But how would I do that?
This is what I have so far:
The bit below listens to port TCP 514 and binds that traffic to ruleset_1
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514" ruleset="ruleset_1")
Then I have all traffic from ruleset_1 being applied the RemoteHost template which tells it to save files in the directory listed below.
$RuleSet ruleset_1
*.* ?RemoteHost
$template RemoteHost,"/var/log/splunk-syslog/UTM/%HOSTNAME%/%HOSTNAME%-%$DAY%-%$MONTH%-%$YEAR%.log"
You probably need to place the template definition above the action.
And why would you loose the option to filter? Inside the ruleset you can define your actions just like you had them before, including the filters (technically . is also a filter).
So combining your original config with your attempt at introducing a ruleset:
$RuleSet ruleset_1
$template http,"/var/log/splunk-syslog/UTM/%HOSTNAME%/http_logs/%HOSTNAME%-%$day%.log"
$template packetfilter,"/var/log/splunk-syslog/UTM/%HOSTNAME%/packetfilter_logs/%HOSTNAME%-%$day%.log"
$template ips,"/var/log/splunk-syslog/UTM/%HOSTNAME%/ips_logs/%HOSTNAME%-%$day%.log"
:msg, contains, "http" ?http
:msg, contains, "packetfilter" ?packetfilter
:msg, contains, "ips" ?ips
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514" ruleset="ruleset_1")
and how on top of these 3 template do I add a 4th one saying that if the message doesn't contain any of the phrases specified in other templates then just put that in yet a different directory?
Just add a *.* ?default-template
rule.
And make sure to add a ;&
(stop command) after the first 3 rules, otherwise messages that match one of the filters will still also be processed against the next rules.
@MedralaG, did this solution work out for you? If so: appreciated if you could mark this answer as accepted, such that it is clear for others that later on find this discussion that this solution works 🙂
sorry I was away for a couple of weeks.
When I have a chance I will look at it but I think you might be right, this might work.