Use rsyslog omfwd format.

Move above other rules because putting it at the bottom did not send
any packets.

Signed-off-by: Stephen Smoogen <ssmoogen@redhat.com>
This commit is contained in:
Stephen Smoogen 2023-05-11 15:43:46 -04:00
parent e84065541f
commit d07ccd7b62

View file

@ -160,6 +160,29 @@ kern.* ?r_kern;TraditionalFormat
# MERGED R E M O T E L O G G I N G #
#%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%#
# forward to splunk host, over tls
#*.* @@splunk-syslog.corp.redhat.com:6514
#*.* @@10.31.20.29:6514
$DefaultNetstreamDriverCAFile /etc/pki/tls/certs/2022-IT-Root-CA.pem
*.* action(
type="omfwd"
target="10.31.20.29"
port="6514"
protocol="tcp"
queue.filename="fwdRule1" # unique name prefix for spool files
queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
queue.saveonshutdown="on" # save messages to disk on shutdown
queue.type="LinkedList" # run asynchronously
queue.size="100000"
action.resumeRetryCount="10" # 10 retries if host is down
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="anon" # not authenticated
)
#------------------------------------------------------------------------------#
# remote messages log #
#------------------------------------------------------------------------------#
@ -215,10 +238,3 @@ local4.* ?m_http_apps;MergeFormat
:msg, !contains, "type=AVC" ~
local6.* ?m_audit;MergeFormat
# forward to splunk host, over tls
#*.* @@splunk-syslog.corp.redhat.com:6514
*.* @@10.31.20.29:6514
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$DefaultNetstreamDriverCAFile /etc/pki/tls/certs/2022-IT-Root-CA.pem