3 Replies Latest reply on Sep 16, 2016 2:31 PM by clath13

    Can you syslog to 2 devices?

    clath13

      Can I just add a second daemon.info line to the rsyslog.conf file to send my logs to a 2nd source?

      Thanks,

      Claire

        • 1. Re: Can you syslog to 2 devices?

          Yes.

          Just add a second line.

          • 2. Re: Can you syslog to 2 devices?
            Jon Scholten

            You can indeed by adding a second line! But....

             

            You might also want to consider sending specifically formatted messages to specific destinations.

             

            Say you have a McAfee ESM and a splunk. The ESM logline uses the Nitro format, and the Splunk format uses CEF (for example).

             

            To send a message to the syslog daemon we have this rule in the logging cycle, 6 = Info:

             

            ESM is already configured as:

            daemon.info @esm

            OR possibly:

            *.* @esm

             

            If you do the following for splunk:

            daemon.info @splunk

             

            This would mean that esm and splunk receive both messages (the nitro format, and the splunk format).

            1. McAfeeWG|time_stamp=[01/Jan/2015:02:12:31 +0800]|auth_user=jsmith|src_ip=10.10.69.1|server_ip=172.224.247.54|host=www.mca fee.com|url_port=80|status_code=301|bytes_from_client=279|bytes_to_client=1149|c ategories=Business, Software/Hardware|rep_level=Minimal Risk|method=GET|url=http://www.mcafee.com/|media_type=text/html|application_name=|user_agent=Mozilla /5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)|block_res=0|block_reason=|virus_name=|hash=|filename=|filesize=753 | 
            2. CEF:0|McAfee|Web Gateway|7.3.2|301|Proxy--|2|rt=Sep 02 2013 16:55:57 cat=Access Log dst=12.234.121.129 dhost=www.mcafee.com suser=jsmith src=10.10.69.1 requestMethod=GET request=http://www.mcafee.com/ app=HTTP cs3=HTTP/1.1 cs3Label=Protocol/Version cs4=Business, Software/Hardware cs4Label=URL Categories cs6=Minimal Risk cs6Label=Reputation fileType=text/html out=1182 requestClientApplication=Mozilla/5.0 Firefox/23.0 cs1= cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy 

             

            If we want ESM to only get #1, and splunk to only get #2, we would modify the logging rule to use 7 (debug) instead of 6 (info). In the rsyslog conf we would have a line like:

            daemon.=debug @splunk

             

            This would ensure only daemon.debug events are sent to the second syslog server (splunk).

             

            Hope this helps. If it doesnt matter what message is sent where, then adding a second line would be fine.

             

            Best Regards.

            Jon

            • 3. Re: Can you syslog to 2 devices?
              clath13

              Hi Jon,

              That is helpful.

              Thank you,

              Claire