ネットワーク構成
- 192.168.11.39 : rsyslogサーバ(CentOS7)
- 192.168.11.2 : mailサーバ
- 192.168.11.254 : cisco機器
- 192.168.11.1 : ルーター
設定
cisco側
(conf)#logging trap notifications
(conf)#logging host 192.168.11.39
rsyslogサーバ側
udp514でLISTEN
/etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
メールサーバ設定
/etc/rsyslog.conf
$ModLoad ommail
$ActionMailSMTPServer 192.168.11.2
$ActionMailFrom rsyslog@syslog.server
$template mail_subject,"syslog:%fromhost%:%msg%"
$template mail_body,"%fromhost%\r\n%msg%"
$ActionMailSubject mail_subject
$ActionExecOnlyOnceEveryInterval -1
送信元ごとに保存先指定
/etc/rsyslog.conf
$ActionMailTo my@mailaddr
:fromhost-ip, isequal, "192.168.11.254" /var/log/rsyslog/192.168.1.254
if $fromhost-ip == '192.168.11.254' then :ommail:;mail_body
& stop
syntax check
syntax check
# rsyslogd -N 1
rsyslogd: version 7.4.7, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
rsyslogリスタート
# systemctl restart rsyslog
syntax error例
& ~
Mar 30 07:10:09 syslog1 rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
/etc/rsyslog.conf
- & ~
+ & stop
$ActionMailTo
rsyslogd: no recipient address given - specify $ActionMailTo [try http://www.rsyslog.com/e/2071 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 66: errors occured in file '/etc/rsyslog.conf' around line 66 [try http://www.rsyslog.com/e/2207 ]
/etc/rsyslog.conf
+ $ActionMailTo my@mailaddr
:fromhost-ip, isequal, "192.168.11.254" /var/log/rsyslog/192.168.11.254
if $fromhost-ip == '192.168.11.254' then :ommail:;mail_body
& stop
+ $ActionMailTo my@mailaddr
:fromhost-ip, isequal, "192.168.11.1" /var/log/rsyslog/192.168.11.1
if $fromhost-ip == '192.168.11.1' then :ommail:;mail_body
& stop
- ommail の直前に$ActionMailToを都度書かないといけなかった。