Thanks all. My config is working fine now. I can take some of the blame for requesting the $ActionExecOnlyEveryNthTime* params in the first place :P.
Just to shed some light, my previous understanding (or what I initially gathered from the docs) was that the $Action params needed to just be in a block and the order of params didn't matter. So: #start Action $Action... $Action... $Action... #end Action So that was just what I gathered in my head. But it's all clear now. - Julian On Sun, Mar 15, 2009 at 11:08 PM, Rainer Gerhards <[email protected]> wrote: >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of Julian Yap >> Sent: Monday, March 16, 2009 10:05 AM >> To: rsyslog-users >> Subject: Re: [rsyslog] Logging all messages from a remote server >> >> Rainer, >> >> Would you recommend against using $includeConfig? In that case, it >> tends to lead to more unknown config issues. > > No, but do not split config directives that need to go together over several > places. You need to put this together > > # this starts the definition of a single action > $ActionExecOnlyOnceEveryInterval 300 > $ActionExecOnlyEveryNthTimeTimeout 1200 > $ActionExecOnlyEveryNthTime 3 > $... > *.* action > #this ends it > > So you need to put everything together. If you rip it apart, you will get > undefined results. > > This is - to phrase it politely - not very well documented. You need to read > the fine print, most of the $Action... params modify the *next* action - NOT > *all* actions. So it is vitally important where they occur. > > Will try to make this clear as soon as I have a bit more time. > > > Rainer >> >> - Julian >> >> On Sun, Mar 15, 2009 at 10:52 PM, Rainer Gerhards >> <[email protected]> wrote: >> > The issue is that these statements >> > >> > $ActionExecOnlyOnceEveryInterval 300 >> > $ActionExecOnlyEveryNthTimeTimeout 1200 >> > $ActionExecOnlyEveryNthTime 3 >> > >> > Modify the *next* action. So you need to specify them in front of the >> action. >> > If you use the $includeConfig option, and have part of the action >> inside the >> > include file and other parts (the statements) outside (or vice >> versa), you >> > never know which action gets configured how. So place all of them >> together. >> > >> > HTH >> > Rainer >> > >> >> -----Original Message----- >> >> From: [email protected] [mailto:rsyslog- >> >> [email protected]] On Behalf Of Julian Yap >> >> Sent: Monday, March 16, 2009 9:15 AM >> >> To: rsyslog-users >> >> Subject: Re: [rsyslog] Logging all messages from a remote server >> >> >> >> OK, I narrowed the issues down. Now I've faced strange issues like >> >> this before when using the $IncludeConfig directive. >> >> >> >> This is what I have just tested with in my /etc/rsyslog.conf file >> (and >> >> other lines) and it worked fine: >> >> ---- >> >> $IncludeConfig /etc/rsyslog.d/ >> >> :FROMHOST, isequal, "server" /var/log/remote/server/all >> >> ---- >> >> >> >> Now if I have a file /etc/rsyslog.d/testalert_for_another_server, >> >> things turn strange and only certain messages are logged from the >> >> first server.: >> >> ---- >> >> $ModLoad ommail >> >> >> >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> >> >> >> $template DYNserver2, "/var/log/remote/server2.log" >> >> $template TraditionalFormatNoHostname,"%timegenerated% >> >> %syslogtag%%msg:::drop-last-lf%\n" >> >> >> >> if $hostname == 'server2.domain.com' then >> >> ?DYNserver2;TraditionalFormatNoHostname >> >> >> >> $ActionMailFrom [email protected] >> >> $ActionMailTo server2_alert >> >> $template mailSubjectTestAlert,"INFO: Alert detected" >> >> $template mailBodyTestAlert,"Message is..." >> >> $ActionMailSubject mailSubjectTestAlert >> >> $ActionExecOnlyOnceEveryInterval 300 >> >> $ActionExecOnlyEveryNthTimeTimeout 1200 >> >> $ActionExecOnlyEveryNthTime 3 >> >> >> >> if $hostname == 'server2.domain.com' and $msg contains 'Some >> message' >> >> then :ommail:;mailBodyTestAlert >> >> ---- >> >> >> >> Now if I add the contents of >> >> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf >> (and >> >> remove file /etc/rsyslog.d/testalert_for_another_server) then things >> >> work fine... >> >> >> >> Now if I remove the previous changes to /etc/rsyslog.conf and modify >> >> /etc/rsyslog.d/testalert_for_another_server and remove the following >> >> lines then things work OK again: >> >> $ActionExecOnlyOnceEveryInterval 300 >> >> $ActionExecOnlyEveryNthTimeTimeout 1200 >> >> $ActionExecOnlyEveryNthTime 3 >> >> >> >> >> >> - Julian >> >> >> >> >> >> On Sun, Mar 15, 2009 at 7:16 PM, <[email protected]> wrote: >> >> > On Sun, 15 Mar 2009, Julian Yap wrote: >> >> > >> >> >> I'm having trouble logging ALL the syslog messages received from >> a >> >> >> server. I'm not sure if it's because it's from a non-standard >> piece >> >> >> of hardware (ie. not a Linux server). Logging to another server >> >> >> running syslogd works fine (but syslogd doesn't allow me to log >> >> >> messages from a remote server to a separate file and it's not my >> >> >> central syslogd server). >> >> >> >> >> >> I've tried several lines but none seem to work for me: >> >> >> if $fromhost == 'server' then /var/log/remote/server/all >> >> >> if $source == 'server' then /var/log/remote/server/all >> >> >> :FROMHOST, isequal, "server" /var/log/remote/server/all >> >> >> if $fromhost == 'server.domain.com' then >> /var/log/remote/server/all >> >> >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all >> >> > >> >> > there are a few possible reasons that this could have problems >> >> > >> >> > is it that you have a high volume of logs and some just get >> dropped? >> >> > >> >> > if you just write everything to a file (*.* /var/log/test) does it >> >> have >> >> > all the logs from this server? or is it missing some? >> >> > >> >> > do the logs from this server sometimes include the host and >> sometimes >> >> not? >> >> > >> >> > what is different between the logs that you match and the ones >> that >> >> you >> >> > miss? >> >> > >> >> > David Lang >> >> > _______________________________________________ >> >> > rsyslog mailing list >> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> > http://www.rsyslog.com >> >> > >> >> _______________________________________________ >> >> rsyslog mailing list >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> http://www.rsyslog.com >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
