# Configuration rsyslog pour utiliser avec un Splunk Forwarder a copier dans /etc/rsyslog.d #--------------------------Modules----------------------------- $ModLoad imudp $ModLoad imtcp #--------------------------Protocoles-------------------------- $UDPServerRun 514 $UDPServerRun 5140 $InputTCPServerRun 514 #--------------------------Folder------------------------------ $DirCreateMode 0755 $FileCreateMode 0640 $DirOwner splunk $DirGroup splunk $FileOwner splunk $FileGroup splunk $RuleSet RSYSLOG_DefaultRuleSet #--------------------------Templates--------------------------- #Template Cisco $template ciscoasa,"/var/rsyslog/%$myhostname%/ciscoasa/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log" #Template Fortigate $template fortigate,"/var/rsyslog/%$myhostname%/fortigate/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log" #Template Esxi $template esxi,"/var/rsyslog/%$myhostname%/esxi/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log" #Template Linux $template linux,"/var/rsyslog/%$myhostname%/linux/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log" #Template Switch $template switch,"/var/rsyslog/%$myhostname%/switch/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log" #Templates ILO $template ilo,"/var/rsyslog/%$myhostname%/ilo/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log" #Templates iDRAC $template ilo,"/var/rsyslog/%$myhostname%/idrac/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log" # Catch All $template catchother,"/var/rsyslog/%$myhostname%/catchother/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log" #-------------------------Filtres------------------------------ if $msg contains_i ' devid="FG' then -?fortigate & stop if $fromhost startswith "spv" then -?esxi & stop if $fromhost startswith "svl" then -?linux & stop if $hostname contains 'svl' then -?linux & stop if $hostname contains 'SWI' then -?switch & stop if $syslogtag contains '%ASA' then -?ciscoasa & stop if $msg contains_i "ILO" then -?ilo & stop if $hostname contains_i "IDR" then -?idrac & stop if $fromhost != $$myhostname then -?catchother & stop