Dear David,
Am 13-06-2013 22:09, schrieb David Lang:
On Thu, 13 Jun 2013, Aleksandar Lazic wrote:
Dear David.
Thanks for explanation of ruleset.
Due to the fact that the default ubuntu setup use rulesets I haven't
know that they are primary optimization tool.
So this setup could be easier?
### cat /etc/rsyslog.d/60-remote.conf
[snipp]
###
This configuration is saying that for messages that arrive via TCP,
you only want to possibly ever do one of these two actions with the
message. No other filters will apply.
if you just remove any reference to rulesets (both in the input name,
and around these two actions), then all the rules that you define will
be applied to the logs, no matter what source the come from.
Yep I wanted this. Thanks for confirmation ;-)
My question was is there a performance penalty when I use the
'ruleset(name="remote"){ ... }'
instead of not using it and handle the messages with
if $fromhost-ip == ....
as described in
http://lists.adiscon.net/pipermail/rsyslog/2013-June/032819.html
David Lang
Aleks
Best regards
Aleks
Am 13-06-2013 03:29, schrieb David Lang:
ahh, yes, if rules are in a ruleset that isn't being applied to the
input you will have problems.
In general there are not a lot of reasons to use rulesets.
If you have a very complex configuration, rulesets may be useful, but
unlike syslog-ng, rsyslog does not require you to name things and
then
call them. Just define the rules.
I seem to be saying this a lot this month (both here and elsehwere
:-)
remember that premature optimization is the root of all evil.
rulesets are an optimization tool, use them when you find that you
need them. Otherwise they are likely to cause confusion (as it looks
like they did in this case)
David Lang
On Thu, 13 Jun 2013, Aleksandar Lazic wrote:
Date: Thu, 13 Jun 2013 00:08:07 +0200
From: Aleksandar Lazic <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: Re: [rsyslog] first use of rainerscript rsyslog 7.4 and
unbound
messages
Ok I think I found the reason.
I have defined
##
....
$RuleSet remote
....
##
and have never changed.
in 50-default is
###
...
$RuleSet local
...
###
This sounds the reason to be.
BR Aleks
Am 12-06-2013 23:35, schrieb Aleksandar Lazic:
Hi,
I have now commented the 2 lines
#$PrivDropToUser syslog
#$PrivDropToGroup syslog
stopped rsyslog and run rsyslog with this command.
strace -fveall -s 1024 -o rsyslog_01 /usr/sbin/rsyslogd -dn >
rsyslogd-debug_15.log
this 3 lines are at the begining of the conf file.
###
$DebugFile /var/log/rsyslog_debug.log
$DebugLevel 2
*.* /var/log/debugfmt;RSYSLOG_DebugFormat
###
The files are downloadable from.
http://download.none.at/rsyslog_debug.log
http://download.none.at/rsyslogd-debug_15.log
The strace file can I send you off-list if you want it.
What ever I do the file /var/log/debugfmt is not created and I
don't
get permission denied or something similar.
BR
Aleks
Am 12-06-2013 21:27, schrieb David Lang:
try eliminating the privdrop configs. They cause all sorts of
permission problems.
the debug file you provide doesn't show anything after the startup
messages. You probably need to add the 'n' flag to the startup so
that
it doesn't go into the background.
David Lang
On Wed, 12 Jun 2013, Aleksandar Lazic wrote:
Date: Wed, 12 Jun 2013 20:52:43 +0200
From: Aleksandar Lazic <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: Re: [rsyslog] first use of rainerscript rsyslog 7.4 and
unbound
messages
Dear David,
Am 12-06-2013 18:13, schrieb David Lang:
On Wed, 12 Jun 2013, Aleksandar Lazic wrote:
[snipp]
does not work.
what doesn't work about it?
As I have tried to described in my first post.
http://lists.adiscon.net/pipermail/rsyslog/2013-June/032776.html
###
I try to write all unbound syslog messages into the file
/var/log/unbound.log
### cat /etc/rsyslog.d/21-unbound.conf
if $programname == "unbound" then /var/log/unbound.log
###
after a host www.none.at I have only the message in
/var/log/syslog but
not in /var/log/unbound.log
###
i'll note that the logs I've seen from postfix don't have the
programname == 'postfix', they have things like
'postfix/master', so
it's very possible that your test is just wrong.
I have started with unbound, postfix was just another try. Let us
focus on unbound.
In addition, there are conflicts between setting file
ownee/group and
dropping privilages in many cases. Since we don't have your full
config we can't see if that's what's happening.
My config-files are provided here.
http://download.none.at/rsyslog_confs.tar.gz
as described here
http://lists.adiscon.net/pipermail/rsyslog/2013-June/032812.html
I have also set a chown syslog /var/log so that rsyslog can
create files.
I'll also note that turning sync on will drastically reduce your
write
performance (down to ~100 messges/sec on a standard 7200 rpm
drive)
Thanks, i will change it.
in cases like this, the first thing to do is to simplify your
config
to see what part is failing. Is the test working? if so, what of
the
other options makes it quit working? If not, log with the
RSYSLOG_DebugFormat to see what the the fields really contain as
per
this post
http://blog.gerhards.net/2013/06/rsyslog-how-can-i-see-which-field.html
I have used this and on Jun 10 it works,
http://lists.adiscon.net/pipermail/rsyslog/2013-June/032812.html
now 2 days later rsyslog does not write anything into this file?!
ls -larth /var/log/debugfmt
-rw-r--r-- 1 syslog adm 0 Jun 12 20:31 /var/log/debugfmt
I'm a little bit surprised that this happen?!
I have reverted all the changes but still rsyslog writes nothing
into this file.
David Lang
there was a update for libestr0
libestr0 0.1.5-0adiscon3
from
# Adiscon repository
# http://www.rsyslog.com/ubuntu-repository/
deb http://ubuntu.adiscon.com/v7-stable precise/
deb-src http://ubuntu.adiscon.com/v7-stable precise/
the output of
/usr/sbin/rsyslogd -d > rsyslogd-debug_11.log
can get from
http://download.none.at/rsyslogd-debug_11.log
The current files are in this archive.
http://download.none.at/rsyslog_confs_01.tar.gz
I would be happy for help to find a solution.
Best regards
Aleks
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
