> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Julian Yap > Sent: Monday, March 16, 2009 10:05 AM > To: rsyslog-users > Subject: Re: [rsyslog] Logging all messages from a remote server > > Rainer, > > Would you recommend against using $includeConfig? In that case, it > tends to lead to more unknown config issues.
No, but do not split config directives that need to go together over several places. You need to put this together # this starts the definition of a single action $ActionExecOnlyOnceEveryInterval 300 $ActionExecOnlyEveryNthTimeTimeout 1200 $ActionExecOnlyEveryNthTime 3 $... *.* action #this ends it So you need to put everything together. If you rip it apart, you will get undefined results. This is - to phrase it politely - not very well documented. You need to read the fine print, most of the $Action... params modify the *next* action - NOT *all* actions. So it is vitally important where they occur. Will try to make this clear as soon as I have a bit more time. Rainer > > - Julian > > On Sun, Mar 15, 2009 at 10:52 PM, Rainer Gerhards > <[email protected]> wrote: > > The issue is that these statements > > > > $ActionExecOnlyOnceEveryInterval 300 > > $ActionExecOnlyEveryNthTimeTimeout 1200 > > $ActionExecOnlyEveryNthTime 3 > > > > Modify the *next* action. So you need to specify them in front of the > action. > > If you use the $includeConfig option, and have part of the action > inside the > > include file and other parts (the statements) outside (or vice > versa), you > > never know which action gets configured how. So place all of them > together. > > > > HTH > > Rainer > > > >> -----Original Message----- > >> From: [email protected] [mailto:rsyslog- > >> [email protected]] On Behalf Of Julian Yap > >> Sent: Monday, March 16, 2009 9:15 AM > >> To: rsyslog-users > >> Subject: Re: [rsyslog] Logging all messages from a remote server > >> > >> OK, I narrowed the issues down. Now I've faced strange issues like > >> this before when using the $IncludeConfig directive. > >> > >> This is what I have just tested with in my /etc/rsyslog.conf file > (and > >> other lines) and it worked fine: > >> ---- > >> $IncludeConfig /etc/rsyslog.d/ > >> :FROMHOST, isequal, "server" /var/log/remote/server/all > >> ---- > >> > >> Now if I have a file /etc/rsyslog.d/testalert_for_another_server, > >> things turn strange and only certain messages are logged from the > >> first server.: > >> ---- > >> $ModLoad ommail > >> > >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >> > >> $template DYNserver2, "/var/log/remote/server2.log" > >> $template TraditionalFormatNoHostname,"%timegenerated% > >> %syslogtag%%msg:::drop-last-lf%\n" > >> > >> if $hostname == 'server2.domain.com' then > >> ?DYNserver2;TraditionalFormatNoHostname > >> > >> $ActionMailFrom [email protected] > >> $ActionMailTo server2_alert > >> $template mailSubjectTestAlert,"INFO: Alert detected" > >> $template mailBodyTestAlert,"Message is..." > >> $ActionMailSubject mailSubjectTestAlert > >> $ActionExecOnlyOnceEveryInterval 300 > >> $ActionExecOnlyEveryNthTimeTimeout 1200 > >> $ActionExecOnlyEveryNthTime 3 > >> > >> if $hostname == 'server2.domain.com' and $msg contains 'Some > message' > >> then :ommail:;mailBodyTestAlert > >> ---- > >> > >> Now if I add the contents of > >> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf > (and > >> remove file /etc/rsyslog.d/testalert_for_another_server) then things > >> work fine... > >> > >> Now if I remove the previous changes to /etc/rsyslog.conf and modify > >> /etc/rsyslog.d/testalert_for_another_server and remove the following > >> lines then things work OK again: > >> $ActionExecOnlyOnceEveryInterval 300 > >> $ActionExecOnlyEveryNthTimeTimeout 1200 > >> $ActionExecOnlyEveryNthTime 3 > >> > >> > >> - Julian > >> > >> > >> On Sun, Mar 15, 2009 at 7:16 PM, <[email protected]> wrote: > >> > On Sun, 15 Mar 2009, Julian Yap wrote: > >> > > >> >> I'm having trouble logging ALL the syslog messages received from > a > >> >> server. I'm not sure if it's because it's from a non-standard > piece > >> >> of hardware (ie. not a Linux server). Logging to another server > >> >> running syslogd works fine (but syslogd doesn't allow me to log > >> >> messages from a remote server to a separate file and it's not my > >> >> central syslogd server). > >> >> > >> >> I've tried several lines but none seem to work for me: > >> >> if $fromhost == 'server' then /var/log/remote/server/all > >> >> if $source == 'server' then /var/log/remote/server/all > >> >> :FROMHOST, isequal, "server" /var/log/remote/server/all > >> >> if $fromhost == 'server.domain.com' then > /var/log/remote/server/all > >> >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all > >> > > >> > there are a few possible reasons that this could have problems > >> > > >> > is it that you have a high volume of logs and some just get > dropped? > >> > > >> > if you just write everything to a file (*.* /var/log/test) does it > >> have > >> > all the logs from this server? or is it missing some? > >> > > >> > do the logs from this server sometimes include the host and > sometimes > >> not? > >> > > >> > what is different between the logs that you match and the ones > that > >> you > >> > miss? > >> > > >> > David Lang > >> > _______________________________________________ > >> > rsyslog mailing list > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > http://www.rsyslog.com > >> > > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
