On Thu, 13 Jun 2013, Aleksandar Lazic wrote:
Dear David.Thanks for explanation of ruleset.Due to the fact that the default ubuntu setup use rulesets I haven't know that they are primary optimization tool.So this setup could be easier? ### cat /etc/rsyslog.d/60-remote.conftemplate(name="RemoteHost" type="string" string="/var/log/REMOTE_SERVER/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%-syslog.log") template(name="dnsmasqRemoteHost" type="string" string="/var/log/REMOTE_SERVER/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%-dnsmasq.log")ruleset(name="remote"){ if $programname == "dnsmasq" then { action(type="omfile" name="dnsmasqRemoteHost" DirCreateMode="0755" FileCreateMode="0644" FileOwner="syslog" FileGroup="syslog" DynaFile="dnsmasqRemoteHost") stop } action(type="omfile" DynaFile="RemoteHost") } module(load="imtcp" MaxSessions="500" NotifyOnConnectionClose="on") input(type="imtcp" port="2000" Ruleset="remote") ###
This configuration is saying that for messages that arrive via TCP, you only want to possibly ever do one of these two actions with the message. No other filters will apply.
if you just remove any reference to rulesets (both in the input name, and around these two actions), then all the rules that you define will be applied to the logs, no matter what source the come from.
David Lang
Best regards Aleks Am 13-06-2013 03:29, schrieb David Lang:ahh, yes, if rules are in a ruleset that isn't being applied to the input you will have problems. In general there are not a lot of reasons to use rulesets. If you have a very complex configuration, rulesets may be useful, but unlike syslog-ng, rsyslog does not require you to name things and then call them. Just define the rules. I seem to be saying this a lot this month (both here and elsehwere :-) remember that premature optimization is the root of all evil. rulesets are an optimization tool, use them when you find that you need them. Otherwise they are likely to cause confusion (as it looks like they did in this case) David Lang On Thu, 13 Jun 2013, Aleksandar Lazic wrote:Date: Thu, 13 Jun 2013 00:08:07 +0200 From: Aleksandar Lazic <[email protected]> Reply-To: rsyslog-users <[email protected]> To: [email protected] Subject: Re: [rsyslog] first use of rainerscript rsyslog 7.4 and unbound messages Ok I think I found the reason. I have defined ## .... $RuleSet remote .... ## and have never changed. in 50-default is ### ... $RuleSet local ... ### This sounds the reason to be. BR Aleks Am 12-06-2013 23:35, schrieb Aleksandar Lazic:Hi, I have now commented the 2 lines #$PrivDropToUser syslog #$PrivDropToGroup syslog stopped rsyslog and run rsyslog with this command. strace -fveall -s 1024 -o rsyslog_01 /usr/sbin/rsyslogd -dn > rsyslogd-debug_15.log this 3 lines are at the begining of the conf file. ### $DebugFile /var/log/rsyslog_debug.log $DebugLevel 2 *.* /var/log/debugfmt;RSYSLOG_DebugFormat ### The files are downloadable from. http://download.none.at/rsyslog_debug.log http://download.none.at/rsyslogd-debug_15.log The strace file can I send you off-list if you want it. What ever I do the file /var/log/debugfmt is not created and I don't get permission denied or something similar. BR Aleks Am 12-06-2013 21:27, schrieb David Lang:try eliminating the privdrop configs. They cause all sorts of permission problems. the debug file you provide doesn't show anything after the startup messages. You probably need to add the 'n' flag to the startup so that it doesn't go into the background. David Lang On Wed, 12 Jun 2013, Aleksandar Lazic wrote:Date: Wed, 12 Jun 2013 20:52:43 +0200 From: Aleksandar Lazic <[email protected]> Reply-To: rsyslog-users <[email protected]> To: [email protected]Subject: Re: [rsyslog] first use of rainerscript rsyslog 7.4 and unboundmessages Dear David, Am 12-06-2013 18:13, schrieb David Lang:On Wed, 12 Jun 2013, Aleksandar Lazic wrote:[snipp]does not work.what doesn't work about it?As I have tried to described in my first post. http://lists.adiscon.net/pipermail/rsyslog/2013-June/032776.html ### I try to write all unbound syslog messages into the file /var/log/unbound.log ### cat /etc/rsyslog.d/21-unbound.conf if $programname == "unbound" then /var/log/unbound.log ### after a host www.none.at I have only the message in /var/log/syslog but not in /var/log/unbound.log ###i'll note that the logs I've seen from postfix don't have the programname == 'postfix', they have things like 'postfix/master', so it's very possible that your test is just wrong.I have started with unbound, postfix was just another try. Let us focus on unbound.In addition, there are conflicts between setting file ownee/group and dropping privilages in many cases. Since we don't have your full config we can't see if that's what's happening.My config-files are provided here. http://download.none.at/rsyslog_confs.tar.gz as described here http://lists.adiscon.net/pipermail/rsyslog/2013-June/032812.htmlI have also set a chown syslog /var/log so that rsyslog can create files.I'll also note that turning sync on will drastically reduce your write performance (down to ~100 messges/sec on a standard 7200 rpm drive)Thanks, i will change it.in cases like this, the first thing to do is to simplify your config to see what part is failing. Is the test working? if so, what of the other options makes it quit working? If not, log with the RSYSLOG_DebugFormat to see what the the fields really contain as per this post http://blog.gerhards.net/2013/06/rsyslog-how-can-i-see-which-field.htmlI have used this and on Jun 10 it works, http://lists.adiscon.net/pipermail/rsyslog/2013-June/032812.html now 2 days later rsyslog does not write anything into this file?! ls -larth /var/log/debugfmt -rw-r--r-- 1 syslog adm 0 Jun 12 20:31 /var/log/debugfmt I'm a little bit surprised that this happen?!I have reverted all the changes but still rsyslog writes nothing into this file.David Langthere was a update for libestr0 libestr0 0.1.5-0adiscon3 from # Adiscon repository # http://www.rsyslog.com/ubuntu-repository/ deb http://ubuntu.adiscon.com/v7-stable precise/ deb-src http://ubuntu.adiscon.com/v7-stable precise/ the output of /usr/sbin/rsyslogd -d > rsyslogd-debug_11.log can get from http://download.none.at/rsyslogd-debug_11.log The current files are in this archive. http://download.none.at/rsyslog_confs_01.tar.gz I would be happy for help to find a solution. Best regards Aleks_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhardsNOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhardsNOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhardsNOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
