We would like to use sysloggtw combined with logmon to generate alarms when certain syslog messages are received.
Because we deal with very large environments we receive huge amounts of syslog each day. This is currently being handled by rsyslog. Syslog from different types of devices is being sent to different files. This works fine.
At the moment we use logmon to search the files for key words. Unfortunately logmon does not always detect the log entries, possibly because the files end up being quite large (between 100-1000 MB for each day).
I was therefore thinking of using sysloggtw to listen for messages that are "forwarded" by rsyslog and subsequently send them to logmon to look for keywords. That way logmon does not have to search through large files, but searches through messages that arrive through a queue. An additional benefit is said to be that maintenance mode will work in combination with this although I cannot see how this would work.
For this to work I need rsyslog to listen on the default syslog port (UDP/514) and sysloggtw to listen to an alternative port (e.g. UDP/515).
Is it possible to have sysloggtw listen to an alternative port? Ïs there a better way to achieve what I want?
Thanks a lot in advance.