# Configuration rsyslog pour utiliser avec un Splunk Forwarder a copier dans /etc/rsyslog.d

#--------------------------Modules-----------------------------

$ModLoad imudp
$ModLoad imtcp

#--------------------------Protocoles--------------------------

$UDPServerRun 514
$UDPServerRun 5140
$InputTCPServerRun 514

#--------------------------Folder------------------------------

$DirCreateMode 0755
$FileCreateMode 0640
$DirOwner splunk
$DirGroup splunk
$FileOwner splunk
$FileGroup splunk

$RuleSet RSYSLOG_DefaultRuleSet

#--------------------------Templates---------------------------

#Template Cisco
#$template ciscoasa,"/var/rsyslog/%$myhostname%/ciscoasa/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Template Fortigate
$template fortigate,"/var/rsyslog/%$myhostname%/fortigate/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Template Esxi
$template esxi,"/var/rsyslog/%$myhostname%/esxi/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Template Linux
$template linux,"/var/rsyslog/%$myhostname%/linux/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Template Switch
#$template switch,"/var/rsyslog/%$myhostname%/switch/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

# Catch All
$template catchother,"/var/rsyslog/%$myhostname%/catchother/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#-------------------------Filtres------------------------------

if $msg contains_i ' devid="FG' then -?fortigate
& stop

if $hostname contains_i 'srvesx' then -?esxi
& stop

if $hostname contains_i 'svl' then -?linux
& stop

#if $hostname contains 'SWI' then -?switch
#& stop

#if $syslogtag contains '%ASA' then -?ciscoasa
#& stop

if $fromhost != $$myhostname then -?catchother
& stop