• Support
  • Forums
  • Blogs

rsyslog missconfiguration

ol.batardol.batard

Space invader
+12
Hello,

Just for information, the /etc/rsyslog.d/zzz_alienvault_template.conf rsyslog configuration is causing issue.

Juste have a look at this:

# template definition
$template DYNlog,"/var/log/alienvault/devices/%fromhost-ip%/%fromhost-ip%.log"

# binding 
if \
        $fromhost-ip != '127.0.0.1' \
then    ?DYNlog

What about if the field fromhost-ip is not well decoded by rsyslog ? example : json log, WELF log ? 
Logs are strored into "/var/log/alienvault/devices/%fromhost-ip%/%fromhost-ip%.log" 

=> After variables expansion  
"/var/log/alienvault/devices//.log"

I very big hidden file into /var/log/alienvault/devices.

Regards,


Share post:

Comments

Sign In or Register to comment.