> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Julian Yap > Sent: Monday, March 16, 2009 10:18 AM > To: rsyslog-users > Subject: Re: [rsyslog] Logging all messages from a remote server > > Thanks all. My config is working fine now. > > I can take some of the blame for requesting the > $ActionExecOnlyEveryNthTime* params in the first place :P. > > Just to shed some light, my previous understanding (or what I > initially gathered from the docs) was that the $Action params needed > to just be in a block and the order of params didn't matter. > > So: > #start Action > $Action... > $Action... > $Action... > #end Action > > So that was just what I gathered in my head. But it's all clear now.
Well, the order doesn't matter BUT (!) above you do NOT define an action - because the action itself is missing! So whatever action comes next, it will receive these parameters. Rainer > > - Julian > > On Sun, Mar 15, 2009 at 11:08 PM, Rainer Gerhards > <[email protected]> wrote: > >> -----Original Message----- > >> From: [email protected] [mailto:rsyslog- > >> [email protected]] On Behalf Of Julian Yap > >> Sent: Monday, March 16, 2009 10:05 AM > >> To: rsyslog-users > >> Subject: Re: [rsyslog] Logging all messages from a remote server > >> > >> Rainer, > >> > >> Would you recommend against using $includeConfig? In that case, it > >> tends to lead to more unknown config issues. > > > > No, but do not split config directives that need to go together over > several > > places. You need to put this together > > > > # this starts the definition of a single action > > $ActionExecOnlyOnceEveryInterval 300 > > $ActionExecOnlyEveryNthTimeTimeout 1200 > > $ActionExecOnlyEveryNthTime 3 > > $... > > *.* action > > #this ends it > > > > So you need to put everything together. If you rip it apart, you will > get > > undefined results. > > > > This is - to phrase it politely - not very well documented. You need > to read > > the fine print, most of the $Action... params modify the *next* > action - NOT > > *all* actions. So it is vitally important where they occur. > > > > Will try to make this clear as soon as I have a bit more time. > > > > > > Rainer > >> > >> - Julian > >> > >> On Sun, Mar 15, 2009 at 10:52 PM, Rainer Gerhards > >> <[email protected]> wrote: > >> > The issue is that these statements > >> > > >> > $ActionExecOnlyOnceEveryInterval 300 > >> > $ActionExecOnlyEveryNthTimeTimeout 1200 > >> > $ActionExecOnlyEveryNthTime 3 > >> > > >> > Modify the *next* action. So you need to specify them in front of > the > >> action. > >> > If you use the $includeConfig option, and have part of the action > >> inside the > >> > include file and other parts (the statements) outside (or vice > >> versa), you > >> > never know which action gets configured how. So place all of them > >> together. > >> > > >> > HTH > >> > Rainer > >> > > >> >> -----Original Message----- > >> >> From: [email protected] [mailto:rsyslog- > >> >> [email protected]] On Behalf Of Julian Yap > >> >> Sent: Monday, March 16, 2009 9:15 AM > >> >> To: rsyslog-users > >> >> Subject: Re: [rsyslog] Logging all messages from a remote server > >> >> > >> >> OK, I narrowed the issues down. Now I've faced strange issues > like > >> >> this before when using the $IncludeConfig directive. > >> >> > >> >> This is what I have just tested with in my /etc/rsyslog.conf file > >> (and > >> >> other lines) and it worked fine: > >> >> ---- > >> >> $IncludeConfig /etc/rsyslog.d/ > >> >> :FROMHOST, isequal, "server" > /var/log/remote/server/all > >> >> ---- > >> >> > >> >> Now if I have a file /etc/rsyslog.d/testalert_for_another_server, > >> >> things turn strange and only certain messages are logged from the > >> >> first server.: > >> >> ---- > >> >> $ModLoad ommail > >> >> > >> >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >> >> > >> >> $template DYNserver2, "/var/log/remote/server2.log" > >> >> $template TraditionalFormatNoHostname,"%timegenerated% > >> >> %syslogtag%%msg:::drop-last-lf%\n" > >> >> > >> >> if $hostname == 'server2.domain.com' then > >> >> ?DYNserver2;TraditionalFormatNoHostname > >> >> > >> >> $ActionMailFrom [email protected] > >> >> $ActionMailTo server2_alert > >> >> $template mailSubjectTestAlert,"INFO: Alert detected" > >> >> $template mailBodyTestAlert,"Message is..." > >> >> $ActionMailSubject mailSubjectTestAlert > >> >> $ActionExecOnlyOnceEveryInterval 300 > >> >> $ActionExecOnlyEveryNthTimeTimeout 1200 > >> >> $ActionExecOnlyEveryNthTime 3 > >> >> > >> >> if $hostname == 'server2.domain.com' and $msg contains 'Some > >> message' > >> >> then :ommail:;mailBodyTestAlert > >> >> ---- > >> >> > >> >> Now if I add the contents of > >> >> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf > >> (and > >> >> remove file /etc/rsyslog.d/testalert_for_another_server) then > things > >> >> work fine... > >> >> > >> >> Now if I remove the previous changes to /etc/rsyslog.conf and > modify > >> >> /etc/rsyslog.d/testalert_for_another_server and remove the > following > >> >> lines then things work OK again: > >> >> $ActionExecOnlyOnceEveryInterval 300 > >> >> $ActionExecOnlyEveryNthTimeTimeout 1200 > >> >> $ActionExecOnlyEveryNthTime 3 > >> >> > >> >> > >> >> - Julian > >> >> > >> >> > >> >> On Sun, Mar 15, 2009 at 7:16 PM, <[email protected]> wrote: > >> >> > On Sun, 15 Mar 2009, Julian Yap wrote: > >> >> > > >> >> >> I'm having trouble logging ALL the syslog messages received > from > >> a > >> >> >> server. I'm not sure if it's because it's from a non-standard > >> piece > >> >> >> of hardware (ie. not a Linux server). Logging to another > server > >> >> >> running syslogd works fine (but syslogd doesn't allow me to > log > >> >> >> messages from a remote server to a separate file and it's not > my > >> >> >> central syslogd server). > >> >> >> > >> >> >> I've tried several lines but none seem to work for me: > >> >> >> if $fromhost == 'server' then /var/log/remote/server/all > >> >> >> if $source == 'server' then /var/log/remote/server/all > >> >> >> :FROMHOST, isequal, "server" /var/log/remote/server/all > >> >> >> if $fromhost == 'server.domain.com' then > >> /var/log/remote/server/all > >> >> >> if $fromhost-ip == '192.168.0.60' then > /var/log/remote/server/all > >> >> > > >> >> > there are a few possible reasons that this could have problems > >> >> > > >> >> > is it that you have a high volume of logs and some just get > >> dropped? > >> >> > > >> >> > if you just write everything to a file (*.* /var/log/test) does > it > >> >> have > >> >> > all the logs from this server? or is it missing some? > >> >> > > >> >> > do the logs from this server sometimes include the host and > >> sometimes > >> >> not? > >> >> > > >> >> > what is different between the logs that you match and the ones > >> that > >> >> you > >> >> > miss? > >> >> > > >> >> > David Lang > >> >> > _______________________________________________ > >> >> > rsyslog mailing list > >> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >> > http://www.rsyslog.com > >> >> > > >> >> _______________________________________________ > >> >> rsyslog mailing list > >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> >> http://www.rsyslog.com > >> > _______________________________________________ > >> > rsyslog mailing list > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > http://www.rsyslog.com > >> > > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
