Yes, here is my config: #rsyslog v7 config file
# if you experience problems, check # http://www.rsyslog.com/troubleshoot for assistance # Increasing Message size $MaxMessageSize 64k #### MODULES #### # Input modules module(load="imfile" pollingInterval="1") input(type="imfile" file="/tmp/test.log" tag="testlog" statefile="/tmp/testlog-state" facility="local6" severity="info") #### RULES #### # Default spool directory $WorkDirectory /nsm/logs/rsyslog $MainMsgQueueFileName mainq $MainMsgQueueType LinkedList $MainMsgQueueSaveOnShutDown on $MainMsgQueueMaxDiskSpace 40g $MainMsgQueueSize 8000000 # # Rules for Suricata IDP Sensors # if $syslogtag == 'testlog' and $syslogfacility-text == 'local6' then { action(type="omfwd" protocol="tcp" target="1.1.1.1" port="10514" queue.filename="testfwd" queue.maxdiskspace="10g" queue.saveonshutdown="on" queue.type="linkedlist" queue.maxfilesize="5m" action.resumeretrycount="-1") stop } On Tue, Aug 13, 2013 at 2:27 PM, Rainer Gerhards <[email protected]> wrote: > Did you set the work dir? I think the old stuff does less checks (but won't > work in that case). > > Sent from phone, thus brief. > Am 13.08.2013 09:13 schrieb "C. L. Martinez" <[email protected]>: > >> On Tue, Aug 13, 2013 at 12:47 PM, Rainer Gerhards >> <[email protected]> wrote: >> > On Tue, Aug 13, 2013 at 2:37 PM, David Lang <[email protected]> wrote: >> > >> >> On Tue, 13 Aug 2013, C. L. Martinez wrote: >> >> >> >> HI all, >> >>> >> >>> Question: Is syslogtag property >> >>> (http://www.rsyslog.com/doc/**property_replacer.html< >> http://www.rsyslog.com/doc/property_replacer.html>) >> >>> the same as tag >> >>> when imfile module is used?? >> >>> >> >>> For example in the following configuration: >> >>> >> >>> input(type="imfile" file="/tmp/test.log" tag="testlog:" >> >>> statefile="/tmp/testlog-state" facility="local6" severity="info") >> >>> >> >>> if $syslogtag == 'testlog:' then { >> >>> action(type="omfwd" protocol="tcp" target="1.1.1.1"..... >> >>> >> >>> Is this correct?? >> >>> >> >> >> >> other than the fact that I'm not sure if the : is part of syslogtag, >> yes. >> >> The tag value you use for imfile is what goes in the log in the >> syslogtag >> >> location. >> >> >> >> >> > The colon should not be part of it, but imfile (I think) does not check >> for >> > invalid characters ... and it is probably too late to change that without >> > breaking too much... >> > >> > Rainer >> > >> >> >> Uhmm .. I have reased colon from tag and syslogtag options, but it >> seems exists some problem with imfile module. Launching rsyslog in >> debug mode: >> >> Stack now 0 1 18 42 61 >> Entering state 93 >> Reading a token: Now at end of input. >> Reducing stack by rule 24 (line 151): >> $1 = token IF () >> $2 = nterm expr () >> $3 = token THEN () >> $4 = nterm block () >> -> $$ = nterm stmt () >> Stack now 0 1 >> Entering state 20 >> Reducing stack by rule 3 (line 124): >> $1 = nterm conf () >> $2 = nterm stmt () >> -> $$ = nterm conf () >> Stack now 0 >> Entering state 1 >> Now at end of input. >> Shifting token $end () >> Entering state 2 >> Stack now 0 1 2 >> Cleanup: popping token $end () >> Cleanup: popping nterm conf () >> ^Crsyslogd: imfile: could not persist state file >> /data/logs/rsyslog/test_conn-state - data may be repeated on next >> startup. Is WorkDirectory set? [try http://www.rsyslog.com/e/2040 ] >> rsyslogd: imfile: could not persist state file >> /data/logs/rsyslog/test2-state - data may be repeated on next startup. >> Is WorkDirectory set? [try http://www.rsyslog.com/e/2040 ] >> >> /data/logs/rsyslog directory exists ... And I don't understand this >> problem.... >> >> On the other side, where do I need to see if my action is working?? >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
