Send same log to 2 different NLS Setup

[Sampath.Basireddy]

Hi There,

Is it possible to configure rsyslog to forward same logfile to 2 different NLS instances?

Thank You.

[cdienger]

It is. Simply add a new line to the config. For example:

if $programname == 'apache_access' then @host:5544
if $programname == 'apache_access' then @@anotherhost:5544

Your config will likely look different depending on which logs you're sending. Our scripts place rsyslog config in /etc/rsyslog.d/.

[Sampath.Basireddy]

Tried adding that, but no luck. I still don't see logs on the new NLS destination. Existing NLS destination is receiving just fine.

Although some other logs are being successfully sent to new destination from the very same server, except this one log.

PM'd you the rsyslog conf and Global Config screenshot.

[cdienger]

Did you restart rsyslogd after making the change? Also be aware that @ tells rsyslog to use udp to send the traffic and @@ is for tcp - you may need to allow this through a firewall if it isn't already.

[Sampath.Basireddy]

Hello @cdienger,

Yes, rsyslogd service was restarted and also traffic is allowed on tcp port 5544 from server to NLS.

There is another log on the same server which is being sent successfully to NLS on port 5544.

I will PM you the rsyslog conf files.

[Sampath.Basireddy]

@cdienger, Sent you couple of PMs. Can you please check.

[cdienger]

The configuration looks good. What is the output of "rsyslogd -N 1" ?

[Sampath.Basireddy]

Here is the output of rsyslogd -N 1 from server:

Code: Select all

[root@server1 ~]# rsyslogd -N 1

rsyslogd: version 5.8.10, config validation run (level 1), master config /etc/rsyslog.conf

rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option.

rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad immark

rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: MarkMessagePeriod 1200

rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock

rsyslogd: End of config validation run. Bye.

[root@server1 ~]#

[cdienger]

Sent a PM. Can you try changing the hostnames in the config to use IPs instead ? Make sure to restart rsyslog afterwards. I'd also like to get a full copy of the rsyslog.conf and /etc/rsyslog.d/ directory.

[Sampath.Basireddy]

Hi @cdienger,

Sent you a PM with full copy of the rsyslog.conf and /etc/rsyslog.d/ directory.