3 Replies Latest reply on Sep 16, 2016 2:31 PM by clath13

    Can you syslog to 2 devices?


      Can I just add a second daemon.info line to the rsyslog.conf file to send my logs to a 2nd source?



        • 1. Re: Can you syslog to 2 devices?


          Just add a second line.

          • 2. Re: Can you syslog to 2 devices?
            Jon Scholten

            You can indeed by adding a second line! But....


            You might also want to consider sending specifically formatted messages to specific destinations.


            Say you have a McAfee ESM and a splunk. The ESM logline uses the Nitro format, and the Splunk format uses CEF (for example).


            To send a message to the syslog daemon we have this rule in the logging cycle, 6 = Info:


            ESM is already configured as:

            daemon.info @esm

            OR possibly:

            *.* @esm


            If you do the following for splunk:

            daemon.info @splunk


            This would mean that esm and splunk receive both messages (the nitro format, and the splunk format).

            1. McAfeeWG|time_stamp=[01/Jan/2015:02:12:31 +0800]|auth_user=jsmith|src_ip=|server_ip=|host=www.mca fee.com|url_port=80|status_code=301|bytes_from_client=279|bytes_to_client=1149|c ategories=Business, Software/Hardware|rep_level=Minimal Risk|method=GET|url=http://www.mcafee.com/|media_type=text/html|application_name=|user_agent=Mozilla /5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)|block_res=0|block_reason=|virus_name=|hash=|filename=|filesize=753 | 
            2. CEF:0|McAfee|Web Gateway|7.3.2|301|Proxy--|2|rt=Sep 02 2013 16:55:57 cat=Access Log dst= dhost=www.mcafee.com suser=jsmith src= requestMethod=GET request=http://www.mcafee.com/ app=HTTP cs3=HTTP/1.1 cs3Label=Protocol/Version cs4=Business, Software/Hardware cs4Label=URL Categories cs6=Minimal Risk cs6Label=Reputation fileType=text/html out=1182 requestClientApplication=Mozilla/5.0 Firefox/23.0 cs1= cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy 


            If we want ESM to only get #1, and splunk to only get #2, we would modify the logging rule to use 7 (debug) instead of 6 (info). In the rsyslog conf we would have a line like:

            daemon.=debug @splunk


            This would ensure only daemon.debug events are sent to the second syslog server (splunk).


            Hope this helps. If it doesnt matter what message is sent where, then adding a second line would be fine.


            Best Regards.


            • 3. Re: Can you syslog to 2 devices?

              Hi Jon,

              That is helpful.

              Thank you,