A bit more info. When using the legacy action (*.* @x.x.x.x:514), it shows as
being processed fine, but not traffic on the wire. When I use the
action(type="omfwd"...) with a queue, it shows the queue as expanding, but
nothing going out.
The full omfwd action config is:
*.* action(name="Action_FwdReceiver1"
type="omfwd"
target="x.x.x.x"
protocol="udp"
port="514"
action.resumeretrycount="-1"
queue.dequeuebatchsize="500"
queue.checkpointinterval="20000"
queue.type="linkedlist"
queue.timeoutenqueue="0"
queue.filename="FwdReceiver1ActionQueue"
queue.size="8000000"
queue.highwatermark="7000000"
queue.lowwatermark="500000"
queue.maxdiskspace="100G"
queue.saveonshutdown="on")
Thanks!
Robert
> From: [email protected]
> To: [email protected]
> Date: Thu, 5 Sep 2013 12:22:44 -0700
> Subject: [rsyslog] v7.4.4 and omfwd?
>
> I'm trying to get the last of my v7 migration done, and am testing the omfwd
> action, and it doesn't seem to be working at all.
>
> I've pasted most of my config below. What I see is the ruleset catches the
> messages, and hands them off to the queues. The action even reports that it
> has processed all the forwards, but TCPDUMP, and monitoring the outgoing
> traffic doesn't have any of the outgoing forwards. The other actions (writes
> to file shares) seem to be working properly.
>
> This repros whether I use the old forward action format (shown below), or the
> newer action(type="omfwd"...) format.
>
> Hoping someone can tell me what I'm missing. :)
>
> Thanks!
> Robert
>
> # rsyslog v7 configuration file
> # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
> # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
> # NetSec Syslog Server config file v3.0 : See the end of the file for
> revision information
>
> #### MODULES ####
> module(load="impstats" interval="300") # Provides periodic performance
> statistics (this must be the first thing in rsyslog.conf)
> module(load="imuxsock") # Provides support for local system logging (e.g.
> via logger command)
> module(load="imklog") # Provides kernel logging support (previously
> done by rklogd)
> module(load="imudp" timerequery="10000")# Provides UDP syslog reception
> #module(load="imptcp") # Provides TCP syslog reception
> #module(load="immark") # Provides --MARK-- message capability
>
> #### GLOBAL DIRECTIVES ####
> # Use default timestamp format
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> # Don't escape control characters
> $EscapeControlCharactersOnReceive off
> # Include all config files in /etc/rsyslog.d/
> $IncludeConfig /etc/rsyslog.d/*.conf
> # Set the working directory for disk buffers
> $WorkDirectory /syslogdata/buffer
>
> #### TEMPLATES ####
> # Filenames
> template (name="FirstProdFile" type="string"
> string="/firstprodshare/test/AP/%msg:F,32:3%-%$YEAR%-%$MONTH%-%$DAY%T%$HOUR%.%$QHOUR%")
> template (name="SecondProdFile" type="string"
> string="/secondprodshare/test/CS/%msg:F,32:3%-%$YEAR%-%$MONTH%-%$DAY%T%$HOUR%.%$QHOUR%")
> template (name="SyslogStats" type="string"
> string="/firstprodshare/00/syslogstats/%$YEAR%-%$MONTH%-%$DAY%-%$myhostname%-stats.txt")
>
> # Messages
> template (name="TemplateMessage" type="string"
> string="<%PRI%>%syslogtag%%msg%\n")
>
> #### MAIN MESSAGE QUEUE ####
> # Establish the Main Message Queue
> $MainMsgQueueFileName MainQueue
> $MainMsgQueueSize 8000000
> $MainMsgQueueHighWaterMark 7000000
> $MainMsgQueueLowWaterMark 500000
> $MainMsgQueueMaxFileSize 100G
> $MainMsgQueueSaveOnShutdown on
> $MainMsgQueueType LinkedList
> $MainMsgQueueWorkerThreads 4
> $MainMsgQueueCheckpointInterval 20000
>
> #### RULES ####
> ### Local logging
> ruleset(name="Ruleset_Local"){
> kern.*
> action(name="Action_local_kern" type="omfile" file="/var/log/messages")
> *.info;mail.none;authpriv.none;cron.none;syslog.none
> action(name="Action_local_info" type="omfile" file="/var/log/messages")
> authpriv.*
> action(name="Action_local_authpriv" type="omfile" file="/var/log/secure")
> mail.*
> action(name="Action_local_mail" type="omfile" file="/var/log/maillog")
> cron.*
> action(name="Action_local_cron" type="omfile" file="/var/log/cron")
> *.emerg
> action(name="Action_local_emerg" type="omusrmsg" users="*")
> uucp,news.crit
> action(name="Action_local_news" type="omfile" file="/var/log/spooler")
> local7.*
> action(name="Action_local_local7" type="omfile" file="/var/log/boot.log")
> syslog.info action(name="Action_SyslogStats" type="omfile"
> DynaFile="SyslogStats")
> syslog.info action(name="Action_SyslogStats" type="omfile"
> file="/var/log/syslog")
> } # End ruleset Local
>
> # Use ruleset Local as default
> $DefaultRuleset Ruleset_Local
> ### End local logging
>
> ### Remote logging
> ruleset (name="Ruleset_Remote"
> queue.type="linkedlist"
> queue.filename="RemoteRuleSetQueue"
> queue.size="8000000"
> queue.highwatermark="7000000"
> queue.lowwatermark="500000"
> queue.maxdiskspace="100G"
> queue.saveonshutdown="on"
> queue.workerthreads="4"){
>
> # Action: Write to the first file share
> *.* action (name="Action_FirstFileShare"
> type="omfile"
> DynaFile="FirstProdFile"
> template="TemplateMessage"
> iobuffersize="262144"
> action.resumeretrycount="-1"
> queue.dequeuebatchsize="5000"
> queue.checkpointinterval="20000"
> queue.type="linkedlist"
> queue.timeoutenqueue="0"
> queue.filename="FirstProdShareActionQueue"
> queue.size="8000000"
> queue.highwatermark="7000000"
> queue.lowwatermark="500000"
> queue.maxdiskspace="100G"
> queue.saveonshutdown="on"
> queue.workerthreads="4"
> )
>
> *.* @x.x.x.x:514
>
> # Action: Write to the second file share
> *.* action (name="Action_FileShare2"
> type="omfile"
> DynaFile="SecondProdFile"
> template="TemplateMessage"
> iobuffersize="262144"
> action.resumeretrycount="-1"
> queue.dequeuebatchsize="5000"
> queue.checkpointinterval="20000"
> queue.type="linkedlist"
> queue.timeoutenqueue="0"
> queue.filename="SecondProdShareActionQueue"
> queue.size="8000000"
> queue.highwatermark="7000000"
> queue.lowwatermark="500000"
> queue.maxdiskspace="100G"
> queue.saveonshutdown="on"
> queue.workerthreads="4")
>
> } # End ruleset Remote
>
> ## Listeners ##
> # Bind ruleset to UDP listener
> input(inputname="RemoteUDP_514" type="imudp" port="514"
> ruleset="Ruleset_Remote")
>
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
