I have several network appliances, and I want aggregate their syslog output for later analysis. Eventually I might think about a Splunk box, but for the interim I’m hoping to just build a CentOS 6 syslog server and have it aggregate everything on it for quick review.
I installed rsyslog and am looking through the /etc/rsyslog.conf file for what I configure to (a) listen for syslog input from other devices (UDP port 514 is fine), (b) make a log, and (c) log rotate files.
(a) I see in there (if I comment it out)
# Provides UDP syslog reception
(Obviously add an iptables rule to let this traffic in)
(b) I see options in there, but am not sure how to separate the local logs from the remote logs. Is it something like the following?
(c) I understand I can do if I edit
/etc/logrotate.d/MyNetworkAppliance.log. This isn’t as big of a concern right now. Just trying to figure out how to log things separately. :/
Any suggestions on what I should do to make this work?