Rsyslog log split to new path with IP

[ismailctest C]

Hi,

Forwarding TCP logs & collecting using Rsyslog, please find the below configuration (rsyslog.conf) & working fine.

In this configuration, All TCP 6514 logs are saved in the data33.log file.

Requirement:  If logs are coming from the IP 192.168.1.34, then all logs must be saved in data34.log.

If logs are coming from the IP 192.168.1.35, then all logs must be saved in data35.log.

 

All remaining logs must be saved in the already-existing path, data33.log (if matching the top 2 IP addresses, logs should never arrive at data33.log).

global(
    defaultNetstreamDriver         = "gtls"
    defaultNetstreamDriverCAFile   = "/etc/rsyslog-keys/ca.crt"
    defaultNetstreamDriverCertFile = "/etc/rsyslog-keys/file.crt"
    defaultNetstreamDriverKeyFile  = "/etc/rsyslog-keys/file.key"
)
module(
    load                  = "imtcp"
    StreamDriver.Name     = "gtls"
    StreamDriver.Mode     = "1"
    StreamDriver.AuthMode = "anon"
)
 

template (name="rawmessage" type="string" string="%timegenerated% %FROMHOST-IP% %rawmsg-after-pri%\n")

ruleset(name="remote") {
    action(type="omfile" File="/var/log/remote_test/data33.log" Template="rawmessage")
    stop
}

input(type="imtcp" port="6514" AddtlFrameDelimiter="0" ruleset="remote")

[ismailctest C]

Hi Team,

Kindly support on this.

[Mario Andres Ruiz Hernandez]

Hi, 

let me take a look at this.

[Mario Andres Ruiz Hernandez]

Hi,

it seems to need a custom logic for your rsyslog.conf. That being said, it's helpful to check the oficial documentation for rsyslog, especially the control structures section: https://www.rsyslog.com/doc/v8-stable/rainerscript/control_structures.html