发送端:
[root@node01 log]# cat /etc/rsyslog.conf
module(load="imfile")
#template(name="remote" type="string" string="%msg%
")
template(name="remote" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag" position.from="1" position.to="32")
property(name="msg" spifno1stsp="on" )
property(name="msg")
constant(value=",")
property(name="$!metadata!filename")
}
input (
type="imfile"
File="/root/log/a2.log"
Tag="testlog02"
PersistStateInterval="10"
reopenOnTruncate="on"
Severity="info"
Facility="local5"
ruleset="chat"
addMetadata ="on"
)
input (
type="imfile"
File="/root/log/a1.log"
Tag="testlog01"
PersistStateInterval="10"
reopenOnTruncate="on"
Severity="info"
Facility="local5"
ruleset="chat"
addMetadata ="on"
)
ruleset (name="chat"){
action(type="omfwd" Target="192.168.137.3" Port="514" Protocol="tcp" template="remote")
}
接收端:
##%msg:2:$%为去掉日志开头的空格
template (name="DynFile" type="string" string="%msg%,%fromhost-ip%
")
if ($syslogtag == "testlog01") then {
action(type="omfile" FileOwner="elk" FileGroup="elk" file="/root/log/testlog01.log" template="DynFile")
}
if ($syslogtag == "testlog02") then {
action(type="omfile" FileOwner="elk" FileGroup="elk" file="/root/log/testlog02.log" template="DynFile")
}