Documentation Center
AlienVault® USM Appliance™

Forwarding Files with Rsyslog

Version: 5.x
Deployment: All deployments

In AlienVault USM Appliance, in order to forward a file to a remote server using rsyslog, you have to create the file /etc/rsyslog.d/forwardFiles.conf with the following content.

$ModLoad imfile

# File 1

$InputFileName /var/log/test

$InputFileTag test1

$InputFileStateFile test1-file1

$InputFileSeverity info

$InputFileFacility local7

$InputRunFileMonitor

See http://www.rsyslog.com/doc/imfile.html for more details.

If nothing else is configured the file specified will be sent to the local syslog server.

If you want this file to be forwarded to a remote syslog server, it's a good idea to enable "rsyslog-debug" temporarily to see the headers on syslog messages.

Then create the file /etc/rsyslog.d/forwardRules.conf with content similar to this:

:hostname, isequal, "ubuntu-prelude" @10.10.10.20M

On the destination server, 10.10.10.20, you can also create a rule in /etc/rsyslog.d/filterLogs.conf

#Enable Debug:

#*.* /var/log/all.log;RSYSLOG_DebugFormat

#Enable event filtering for prelude server

:fromhost, isequal, "10.10.10.3" /var/log/prelude.log

& stop

As explained here, more complex rules like this can also be created:

if $syslogfacility-text == 'local0' and $msg startswith 'DEVNAME' and ($msg contains 'error1' or $msg contains 'error0') then /var/log/somelog