Robert
asked on
How to configure postfix to log to a flat file instead of syslog
Currently, syslog is configured to import logs into splunk. We want to import the postfix logs into a separate splunk index.
How do I redirect postfix logs into a non-syslog flat file?
Thank you
How do I redirect postfix logs into a non-syslog flat file?
Thank you
Edit the rsyslog.conf or syslog.conf as applicable to you
On the /var/log/messages
At the begging change the mail.*
To mail.none
Then add a line
Mail.* /var/log/postfix as an example
Then in /etc/logrotate.conf.d/post fix
Configure the rotation. rule.
How is your splunk currently load the data?
On the /var/log/messages
At the begging change the mail.*
To mail.none
Then add a line
Mail.* /var/log/postfix as an example
Then in /etc/logrotate.conf.d/post
Configure the rotation. rule.
How is your splunk currently load the data?
ASKER
All syslogs are forwarded to a remote syslog server. They are then imported from the syslog server into splunk. I wanted to remove the mail logs from syslog and import them into a separate index. I'm looking for a non-syslog solution so that the mail logs are not imported twice into splunk.
If this is not possible, how would I prevent the syslog mail logs from being sent to the remote syslog server? Here is the current config:
If this is not possible, how would I prevent the syslog mail logs from being sent to the remote syslog server? Here is the current config:
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
*.* @syslog1.company.local:514
Syslog provides an easy transport. Your import setup on the remote syslog. if you could differentiate between the syslog messages using facility/priority where it goes
I am unclear how diverting mail.* to a local file mail.none added on the syslog forwarding line will exclude the postfix events from being forwatded.
RSyslog has filtering capabilities
I am unclear how diverting mail.* to a local file mail.none added on the syslog forwarding line will exclude the postfix events from being forwatded.
RSyslog has filtering capabilities
See if the discussion raised in the link is what you are looking for
You can separate syslog events even at a central syslog repository.
https://community.splunk.com/t5/Getting-Data-In/syslog-using-Splunk/m-p/15119
You can separate syslog events even at a central syslog repository.
https://community.splunk.com/t5/Getting-Data-In/syslog-using-Splunk/m-p/15119
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1) Rotate the log for last hour.
2) Then injects the last log into Splunk.