You can indeed by adding a second line! But....
You might also want to consider sending specifically formatted messages to specific destinations.
Say you have a McAfee ESM and a splunk. The ESM logline uses the Nitro format, and the Splunk format uses CEF (for example).
To send a message to the syslog daemon we have this rule in the logging cycle, 6 = Info:
ESM is already configured as:
If you do the following for splunk:
This would mean that esm and splunk receive both messages (the nitro format, and the splunk format).
If we want ESM to only get #1, and splunk to only get #2, we would modify the logging rule to use 7 (debug) instead of 6 (info). In the rsyslog conf we would have a line like:
This would ensure only daemon.debug events are sent to the second syslog server (splunk).
Hope this helps. If it doesnt matter what message is sent where, then adding a second line would be fine.
I am trying to understand the result of what you have described here. If we configure Log Handler 1 as Syslog (7. User-Defined.syslogline) and Log handler 2 as Syslog (7, User-Defined.syslogline_2) e.g., and then configure the ryslog file to use daemon.=debug @syslog_server1 and daemon.=info @syslog_server2, this means that syslog_server1 will receive all the debug level messages and above, and syslog_server2 only the info level messages if I understand correctly?
What if we need to have both servers receive exactly the same logs, just in different log line formats (e.g. if we are running two SIEM solutions in parallel.
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: