Hello, this is how I do it. (c) $template Tdefault,"/logs/%fromhost-ip%/%syslogfacility-text%.%$YEAR%-%$MONTH%-%$DAY%.log" $template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" *.* -?Tdefault;FileFormat (b) Dropping not localhost. All event not from localhost are _dropped_ because of the following rule. This is the end of the config file, dealing only with local logs: :fromhost-ip, !isequal, "127.0.0.1" ~ #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages ...and so on (standart rsyslog.conf). Mind the line breaks, if lines are wrapped in email. Ignas On 2012.07.23 06:13, Rogelio wrote: > I have several network appliances, and I want aggregate their syslog > output for later analysis. Eventually I might think about a Splunk > box, but for the interim I'm hoping to just build a CentOS 6 syslog > server and have it aggregate everything on it for quick review. > > I installed rsyslog and am looking through the /etc/rsyslog.conf > file for what I configure to (a) listen for syslog input from other > devices (UDP port 514 is fine), (b) make a log, and (c) log rotate > files. > > (a) I see in there (if I comment it out) > > # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 > > (Obviously add an iptables rule to let this traffic in) > > (b) I see options in there, but am not sure how to separate the > local logs from the remote logs. Is it something like the > following? > > *.*;local6.none; auth,authpriv.none -/var/log/syslog > > (c) I understand I can do if I edit > /etc/logrotate.d/MyNetworkAppliance.log. This isn't as big of a > concern right now. Just trying to figure out how to log things > separately. :/ > > Any suggestions on what I should do to make this work? > _______________________________________________ CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >