rsyslog将日志从防火墙写入到/ var / log / message以及特定文件

时间:2019-03-14 09:20:53

标签: rsyslog

我已将防火墙配置为将其日志发送到端口601上的服务器。

我已经在服务器上配置了rsyslog.cong文件,如下所示:

$ModLoad imtcp
$InputTCPServerRun 601

$template DailyPerHostLogs,"/var/log/stormshield/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log"
    *.* -?DailyPerHostLogs


module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
              # local messages are retrieved through imjournal now.
module(load="imjournal"         # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

使用这样的配置文件,日志既写在/ var / log / messages中,又写在/var/log/stormshield/SN287F81K1870D9/2019-03-14.log中。

如果我写以下内容:

if $fromhost-ip == '10.0.20.254' then {
    $template DailyPerHostLogs,"/var/log/stormshield/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log"
    *.* -?DailyPerHostLogs
}

什么都没写。

如果我添加&〜就像我在这里看到的(https://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/

$template DailyPerHostLogs,"/var/log/stormshield/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log"
*.* -?DailyPerHostLogs
& ~

rsyslog服务无法启动。

error during parsing file /etc/rsyslog.conf, on or before line 114: STOP is followed by unreachable statements!  [v8.39.0 try http://www.rsyslog.com/e/2207 ]

那么我该如何配置rsyslog以仅从该文件/var/log/stormshield/SN287F81K1870D9/2019-03-14.log中的防火墙输出日志?

0 个答案:

没有答案
相关问题
最新问题