我正在尝试使用以下配置设置 Rsyslog:我监听 514 端口以接收来自不同主机的数据:172.16.111.222、172.16.111.111 和 172.16.222.111。我想将这些日志存储在每个主机的不同文件夹中。所以我做了这个conf:
$ModLoad imudp
$Ruleset RemoteConnections
$RulesetCreateMainQueue on
$ActionQueueType LinkedList
$ActionQueueFileName dbremotecons
$ActionResumeRetryCount -1
*.* ~
$InputUDPServerBindRuleset RemoteConnections
$UDPServerRun 514
if $fromhost-ip=='172.16.111.222' then /var/log/prod1/%FROMHOST-IP%/%syslogfacility-text%.log
& ~
if $fromhost-ip=='172.16.111.111' then /var/log/prod1/%FROMHOST-IP%/%syslogfacility-text%.log
& ~
if $fromhost-ip=='172.16.222.111' then /var/log/product2/%FROMHOST-IP%/%syslogfacility-text%.log
& ~
不幸的是,它不起作用,rsyslog 没有记录任何内容。我不确定“&~”是什么意思,我在网上找到的。
有什么想法让它发挥作用吗?
小智 5
您不能直接在规则中使用占位符。请改用模板。以下应该有效:
$template DynaFile,"/var/log/%FROMHOST-IP%/%syslogfacility-text%.log"
*.* -?DynaFile
或者,为了更接近您的代码:
$template prod1,"/var/log/prod1/%FROMHOST-IP%/%syslogfacility-text%.log"
$template prod2,"/var/log/prod2/%FROMHOST-IP%/%syslogfacility-text%.log"
if $fromhost-ip=='172.16.111.111' then ?prod1
if $fromhost-ip=='172.16.111.222' then ?prod1
if $fromhost-ip=='172.16.222.111' then ?prod2