I also created filters to automatically create directories and name them, all of this works fine as well.
I also tried explicitly setting it at @@10.1.250.10:10514 to match the server, still no joy.
Both hosts - CentOS release 6.9
HOST1 (10.0.0.100) - Remote log server, centralized log store - (Rsyslog 7.4.10)
HOST2 -(10.1.250.10) Forwarding logs to HOSTS1 - (Rsyslog v 7.4.10)
HOST1 (10.0.0.100) -Central log collector - rsyslog.conf
Code: Select all
$ModLoad imklog.so
$ModLoad imudp.so
$ModLoad imtcp.so
$ModLoad imuxsock.so
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$IMUXSockRateLimitBurst 0
$IMUXSockRateLimitInterval 0
$IMUXSockRateLimitSeverity 7
$IncludeConfig /etc/rsyslog.d/
$UDPServerAddress 0.0.0.0
$UDPServerRun 514
$InputTCPServerStreamDriverAuthMode x509/certvalid
$InputTCPServerStreamDriverMode 1
$InputTCPServerRun 10514
$RepeatedMsgReduction on
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
##############Local logging##
if \
$source == 'host1' \
and \
$syslogseverity <= '6' \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then /var/log/messages;TraditionalFormat
#authpriv.* /var/log/secure;TraditionalFormat
# The authpriv file has restricted access.
#authpriv.* /var/log/secure
if \
$source == 'host1' \
and \
$syslogfacility-text == 'authpriv' \
then /var/log/secure;TraditionalFormat
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# mail.* /var/log/maillog;TraditionalFormat
if \
# Log cron stuff
#cron.* /var/log/cron;TraditionalFormat
if \
$source == 'host1' \
and \
$syslogfacility-text == 'cron' \
then /var/log/cron;TraditionalFormat
# Everybody gets emergency messages
#*.emerg *
if \
$source == 'host1' \
and \
$syslogseverity-text == 'emerg' \
then *
$template DailyPerHostLogs,"/var/log/central/syslog/%$YEAR%/%$MONTH%/%hostname%/%hostname%.%$YEAR%-%$MONTH%-%$DAY%.log"
$template HostAudit, "/var/log/central/audit/%$YEAR%/%$MONTH%/%hostname%/%hostname%.%$YEAR%-%$MONTH%-%$DAY%.log"
$template auditFormat, "%msg%\n"
:syslogtag, startswith, "tag_audit_log" ?HostAudit;auditFormat
& ~
*.* -?DailyPerHostLogs;TraditionalFormat
Code: Select all
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#$ActionFileEnableSync on
$FileCreateMode 0640
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
kern.* /var/log/kern.log
auth.*,user.* /var/log/secure
daemon.* /var/log/daemon.log
syslog.* /var/log/syslog
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
.
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
## Need stop audit logs going to /var/log/messages as they are already going to /var/log/audit
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none;\
local6.none -/var/log/messages
# Send to host1.local
*.* @@10.0.0.100