Harry Putnam wrote:
> Not sure if the localmachine is not sending or the remote not
> receiving. But it appears the logs expected to show up on the remote
> are not there.
>
> Both ends are gentoo linux, I'm not at all familiar with rsyslog but
> hoped I set it up right according to what I see on the example file
> and at:
> http://wiki.rsyslog.com/index.php/Very_simple_config_--_starting_point_for_modifications
>
> Local and remote configs appear in full [inlined] at the end.
Hi,
You seem to have all of the output ('action') configuration on the
client machine - that's all the stuff starting with *.*, local1.* etc.
As a consequence only the client machine is ever going to output
anything. Please verify that the client machine is indeed logging to
disk in /var/log.
If you now set up a catch-all action line in the server's rsyslog.conf
(and restart the service on both machines), I prophesy that output
originating from the client will start appearing on the server. E.g.:
*.* /var/log/catchall.log
You can test using the logger command on the client, e.g.
$ logger -p local1.info "Test log message from client"
--
Jack.
>
> Just a few lines (including commented ones) from local conf that I
> hoped were what I needed to send the logs:
>
> # Remote Logging (we use TCP for reliable delivery)
> # An on-disk queue is created for this action. If the remote host is
> # down, messages are spooled to disk and sent when it is up again.
> $WorkDirectory /var/rsyslog/spool # where to place spool files
>
> #$ActionQueueFileName uniqName # unique name prefix for spool files
> #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
> #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> #$ActionQueueType LinkedList # run asynchronously
> #$ActionResumeRetryCount -1 # infinety retries if host is down
> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
> #*.* @@remote-host
>
> The above last 2 commented lines would be less confusing of they
> used the same notation for remote host in both instances.
>
> remote host
> remote-host
>
> Appears to be talking about two different things
>
> *.* @@remote-host
>
> So is that really all it needs?
> ------- --------- ---=--- --------- --------
>
> Now a few lines from the remote rsyslog.conf
>
> # ######### Receiving Messages from Remote Hosts ##########
> # TCP Syslog Server:
> # provides TCP syslog reception and GSS-API (if compiled to support it)
> $ModLoad imtcp.so # load module
> # Note: as of now, you need to use the -t command line option to
> # enable TCP reception (e.g. -t514 to run a server at port 514/tcp)
> # This will change in later v3 releases.
>
> That is all it appears to indicate is needed to receive logs.
>
> And this (the remote) instance of rsyslog is being started with
>
> -c3 -t514 flags.
>
> ------- --------- ---=--- --------- --------
>
> Complete LOCAL rsyslog conf:
>
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> # [HP 112609_192532 Line above will cause rsyslog to use the previous
> # sysklogd date/time instead of the obnoxious but precision `new' format]
> #]
> # rsyslog v3: load input modules
> # If you do not load inputs, nothing happens!
> # You may need to set the module load path if modules are not found.
>
> $ModLoad immark.so # provides --MARK-- message capability
> $ModLoad imuxsock.so # provides support for local system logging (e.g. via
> logger command)
> $ModLoad imklog.so # kernel logging (formerly provided by rklogd)
>
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.* /dev/console
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none -/var/log/messages
>
> # The authpriv file has restricted access.
> authpriv.* /var/log/secure
>
> # Log all the mail messages in one place.
> mail.* -/var/log/mail.log
>
>
> # Log cron stuff
> cron.* -/var/log/cron.log
>
> # Everybody gets emergency messages
> *.emerg *
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit -/var/log/spooler
>
> # Save boot messages also to boot.log
> local7.* /var/log/boot.log
>
> *.debug;mail.none;news.none -/var/log/debug.log
> # Remote Logging (we use TCP for reliable delivery)
> # An on-disk queue is created for this action. If the remote host is
> # down, messages are spooled to disk and sent when it is up again.
> $WorkDirectory /var/rsyslog/spool # where to place spool files
> #$ActionQueueFileName uniqName # unique name prefix for spool files
> #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
> #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> #$ActionQueueType LinkedList # run asynchronously
> #$ActionResumeRetryCount -1 # infinety retries if host is down
> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
> # remote host is:
> # logsrv:512 # e.g. 192.168.0.1:514, port optional
> *.* @@192.168.0.26:514
>
>
> # ######### Receiving Messages from Remote Hosts ##########
> # TCP Syslog Server:
> # provides TCP syslog reception and GSS-API (if compiled to support it)
> #$ModLoad imtcp.so # load module
> # Note: as of now, you need to use the -t command line option to
> # enable TCP reception (e.g. -t514 to run a server at port 514/tcp)
> # This will change in later v3 releases.
>
> # UDP Syslog Server:
> #$ModLoad imudp.so # provides UDP syslog reception
> #$UDPServerRun 514 # start a UDP syslog server at standard port 514
>
> ------- --------- ---=--- --------- --------
>
> Complete remote rsyslog.conf
>
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> # [HP 112609_192532 Line above will cause rsyslog to use the previous
> # sysklogd date/time instead of the obnoxious but precision `new' format]
> #]
> # rsyslog v3: load input
> # If you do not load inputs, nothing happens!
> # You may need to set the module load path if modules are not found.
>
> $ModLoad immark.so # provides --MARK-- message capability
> $ModLoad imuxsock.so # provides support for local system logging (e.g. via
> logger command)
> $ModLoad imklog.so # kernel logging (formerly provided by rklogd)
>
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.* /dev/console
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none -/var/log/messages
>
> # The authpriv file has restricted access.
> authpriv.* /var/log/secure
>
> # Log all the mail messages in one place.
> mail.* -/var/log/mail.log
>
>
> # Log cron stuff
> cron.* -/var/log/cron.log
>
> # Everybody gets emergency messages
> *.emerg *
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit -/var/log/spooler
>
> # Save boot messages also to boot.log
> local7.* /var/log/boot.log
>
> *.debug;mail.none;news.none -/var/log/debug.log
>
> # Remote Logging (we use TCP for reliable delivery)
> # An on-disk queue is created for this action. If the remote host is
> # down, messages are spooled to disk and sent when it is up again.
> #$WorkDirectory /rsyslog/spool # where to place spool files
> #$ActionQueueFileName uniqName # unique name prefix for spool files
> #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
> #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
> #$ActionQueueType LinkedList # run asynchronously
> #$ActionResumeRetryCount -1 # infinety retries if host is down
> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
> #*.* @@remote-host
>
>
> # ######### Receiving Messages from Remote Hosts ##########
> # TCP Syslog Server:
> # provides TCP syslog reception and GSS-API (if compiled to support it)
> $ModLoad imtcp.so # load module
> # Note: as of now, you need to use the -t command line option to
> # enable TCP reception (e.g. -t514 to run a server at port 514/tcp)
> # This will change in later v3 releases.
>
> # UDP Syslog Server:
> #$ModLoad imudp.so # provides UDP syslog reception
> #$UDPServerRun 514 # start a UDP syslog server at standard port 514
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
