我正在通过 syslog 将邮件消息日志和放大器日志从同一服务器 10.10.10.10 发送到我的 RHEL7 服务器。我正在运行 rsyslog 并具有以下配置文件:
邮件日志.conf
$template NetworkLog, "/var/log/mail_logs/mail_logs.log"
:fromhost-ip, isequal, "10.10.10.10" -?NetworkLog
& ~
和我的邮件日志.log好像:
Oct 16 10:58:01 server.com mail_mess_logs: Info: Begin Logfile
Oct 16 10:58:01 server.com mail_mess_logs: Info: Version: 0.0.0 SN:...
Oct 16 10:58:01 server.com mail_mess_logs: Info: Time offset from UTC: -14400 seconds
Oct 16 10:58:02 server.com amp_logs: Info: Begin Logfile
Oct 16 10:58:02 server.com amp_logs: Info: Version: 0.0.0 SN:...
Oct 16 10:58:02 server.com amp_logs: Info: Time offset from UTC: -14400 seconds
我想将它们分解mail_mess_logs,所以amp_logs我会有两个文件,例如:
mail_mess_logs.log
Oct 16 10:58:01 server.com mail_mess_logs: Info: Begin Logfile
Oct 16 10:58:01 server.com mail_mess_logs: Info: Version: 0.0.0 SN:...
Oct 16 10:58:01 server.com mail_mess_logs: Info: Time offset from UTC: -14400 seconds
amp_logs.log
Oct 16 10:58:02 server.com amp_logs: Info: Begin Logfile
Oct 16 10:58:02 server.com amp_logs: Info: Version: 0.0.0 SN:...
Oct 16 10:58:02 server.com amp_logs: Info: Time offset from UTC: -14400 seconds
我怎样才能做到这一点?
答案1
您正在使用一种较旧的、更基本的筛选rsyslog 支持的样式。稍微不那么旧的样式允许您使用包含 and运算符的表达式。这财产 programname应该握住"mail_mess_logs"绳子。所以你可以做
if $fromhost-ip=="10.10.10.10" and $programname=="mail_mess_logs" then -/var/log/mail_logs/mail_mess_logs.log
if $fromhost-ip=="10.10.10.10" and $programname=="amp_logs" then -/var/log/mail_logs/amp_logs.log
另外,还有一种更复杂的风格,称为雷纳脚本。