Documentation Center
AlienVault® USM Appliance™

Forwarding Files with Rsyslog

Version: 5.x
Deployment: All deployments

In AlienVault USM Appliance, in order to forward a file to a remote server using rsyslog, you have to create the file /etc/rsyslog.d/forwardFiles.conf with the following content.

$ModLoad imfile

# File 1

$InputFileName /var/log/test

$InputFileTag test1

$InputFileStateFile test1-file1

$InputFileSeverity info

$InputFileFacility local7


See for more details.

If nothing else is configured the file specified will be sent to the local syslog server.

If you want this file to be forwarded to a remote syslog server, it's a good idea to enable "rsyslog-debug" temporarily to see the headers on syslog messages.

Then create the file /etc/rsyslog.d/forwardRules.conf with content similar to this:

:hostname, isequal, "ubuntu-prelude" @

On the destination server,, you can also create a rule in /etc/rsyslog.d/filterLogs.conf

#Enable Debug:

#*.* /var/log/all.log;RSYSLOG_DebugFormat

#Enable event filtering for prelude server

:fromhost, isequal, "" /var/log/prelude.log

& stop

As explained here, more complex rules like this can also be created:

if $syslogfacility-text == 'local0' and $msg startswith 'DEVNAME' and ($msg contains 'error1' or $msg contains 'error0') then /var/log/somelog