Splunk_Int/Splunk_Install/Config_Rsyslog/01-Splunk_Forwarder.conf

# Configuration rsyslog pour utiliser avec un Splunk Forwarder a copier dans /etc/rsyslog.d

#--------------------------Modules-----------------------------

$ModLoad imudp
$ModLoad imtcp

#--------------------------Protocoles--------------------------

$UDPServerRun 514
$UDPServerRun 5140
$InputTCPServerRun 514

#--------------------------Folder------------------------------

$DirCreateMode 0755
$FileCreateMode 0640
$DirOwner splunk
$DirGroup splunk
$FileOwner splunk
$FileGroup splunk

$RuleSet RSYSLOG_DefaultRuleSet

#--------------------------Templates---------------------------

#Template Cisco
$template ciscoasa,"/var/rsyslog/%$myhostname%/ciscoasa/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Template Fortigate
$template fortigate,"/var/rsyslog/%$myhostname%/fortigate/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Template Esxi
$template esxi,"/var/rsyslog/%$myhostname%/esxi/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Template Linux
$template linux,"/var/rsyslog/%$myhostname%/linux/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Template Switch
$template switch,"/var/rsyslog/%$myhostname%/switch/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Templates ILO
$template ilo,"/var/rsyslog/%$myhostname%/ilo/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#Templates iDRAC
$template ilo,"/var/rsyslog/%$myhostname%/idrac/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

# Catch All
$template catchother,"/var/rsyslog/%$myhostname%/catchother/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"

#-------------------------Filtres------------------------------

if $msg contains_i ' devid="FG' then -?fortigate
& stop

if $fromhost startswith "spv" then -?esxi
& stop

if $fromhost startswith "svl" then -?linux
& stop

if $hostname contains 'svl' then -?linux
& stop

if $hostname contains 'SWI' then -?switch
& stop

if $syslogtag contains '%ASA' then -?ciscoasa
& stop

if $msg contains_i "ILO" then -?ilo
& stop

if $hostname contains_i "IDR" then -?idrac
& stop

if $fromhost != $$myhostname then -?catchother
& stop