Thanks. I've stripped out everything but the ruleset queue, and the new format action, and it's still doing the same thing. It's not queuing up, but still nothing hitting the wire. I'll pull the queue stuff as well, just in case.
Thanks! Robert ________________________________ From: David Lang<mailto:[email protected]> Sent: 9/5/2013 2:30 PM To: rsyslog-users<mailto:[email protected]> Subject: Re: [rsyslog] v7.4.4 and omfwd? for the legacy action you hsould not need to specify the port. Try that and see if it works Then I would say try the new format , but simplify it, drop all he queue stuff and then work up from there. David Lang On Thu, 5 Sep 2013, Robert McIntyre wrote: > Date: Thu, 5 Sep 2013 13:15:29 -0700 > From: Robert McIntyre <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: "[email protected]" <[email protected]> > Subject: Re: [rsyslog] v7.4.4 and omfwd? > > A bit more info. When using the legacy action (*.* @x.x.x.x:514), it shows > as being processed fine, but not traffic on the wire. When I use the > action(type="omfwd"...) with a queue, it shows the queue as expanding, but > nothing going out. > > The full omfwd action config is: > > *.* action(name="Action_FwdReceiver1" > type="omfwd" > target="x.x.x.x" > protocol="udp" > port="514" > action.resumeretrycount="-1" > queue.dequeuebatchsize="500" > queue.checkpointinterval="20000" > queue.type="linkedlist" > queue.timeoutenqueue="0" > queue.filename="FwdReceiver1ActionQueue" > queue.size="8000000" > queue.highwatermark="7000000" > queue.lowwatermark="500000" > queue.maxdiskspace="100G" > queue.saveonshutdown="on") > > Thanks! > Robert > >> From: [email protected] >> To: [email protected] >> Date: Thu, 5 Sep 2013 12:22:44 -0700 >> Subject: [rsyslog] v7.4.4 and omfwd? >> >> I'm trying to get the last of my v7 migration done, and am testing the omfwd >> action, and it doesn't seem to be working at all. >> >> I've pasted most of my config below. What I see is the ruleset catches the >> messages, and hands them off to the queues. The action even reports that it >> has processed all the forwards, but TCPDUMP, and monitoring the outgoing >> traffic doesn't have any of the outgoing forwards. The other actions >> (writes to file shares) seem to be working properly. >> >> This repros whether I use the old forward action format (shown below), or >> the newer action(type="omfwd"...) format. >> >> Hoping someone can tell me what I'm missing. :) >> >> Thanks! >> Robert >> >> # rsyslog v7 configuration file >> # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html >> # If you experience problems, see >> http://www.rsyslog.com/doc/troubleshoot.html >> # NetSec Syslog Server config file v3.0 : See the end of the file for >> revision information >> >> #### MODULES #### >> module(load="impstats" interval="300") # Provides periodic performance >> statistics (this must be the first thing in rsyslog.conf) >> module(load="imuxsock") # Provides support for local system logging >> (e.g. via logger command) >> module(load="imklog") # Provides kernel logging support (previously >> done by rklogd) >> module(load="imudp" timerequery="10000")# Provides UDP syslog reception >> #module(load="imptcp") # Provides TCP syslog reception >> #module(load="immark") # Provides --MARK-- message capability >> >> #### GLOBAL DIRECTIVES #### >> # Use default timestamp format >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> # Don't escape control characters >> $EscapeControlCharactersOnReceive off >> # Include all config files in /etc/rsyslog.d/ >> $IncludeConfig /etc/rsyslog.d/*.conf >> # Set the working directory for disk buffers >> $WorkDirectory /syslogdata/buffer >> >> #### TEMPLATES #### >> # Filenames >> template (name="FirstProdFile" type="string" >> string="/firstprodshare/test/AP/%msg:F,32:3%-%$YEAR%-%$MONTH%-%$DAY%T%$HOUR%.%$QHOUR%") >> template (name="SecondProdFile" type="string" >> string="/secondprodshare/test/CS/%msg:F,32:3%-%$YEAR%-%$MONTH%-%$DAY%T%$HOUR%.%$QHOUR%") >> template (name="SyslogStats" type="string" >> string="/firstprodshare/00/syslogstats/%$YEAR%-%$MONTH%-%$DAY%-%$myhostname%-stats.txt") >> >> # Messages >> template (name="TemplateMessage" type="string" >> string="<%PRI%>%syslogtag%%msg%\n") >> >> #### MAIN MESSAGE QUEUE #### >> # Establish the Main Message Queue >> $MainMsgQueueFileName MainQueue >> $MainMsgQueueSize 8000000 >> $MainMsgQueueHighWaterMark 7000000 >> $MainMsgQueueLowWaterMark 500000 >> $MainMsgQueueMaxFileSize 100G >> $MainMsgQueueSaveOnShutdown on >> $MainMsgQueueType LinkedList >> $MainMsgQueueWorkerThreads 4 >> $MainMsgQueueCheckpointInterval 20000 >> >> #### RULES #### >> ### Local logging >> ruleset(name="Ruleset_Local"){ >> kern.* >> action(name="Action_local_kern" type="omfile" file="/var/log/messages") >> *.info;mail.none;authpriv.none;cron.none;syslog.none >> action(name="Action_local_info" type="omfile" file="/var/log/messages") >> authpriv.* >> action(name="Action_local_authpriv" type="omfile" file="/var/log/secure") >> mail.* >> action(name="Action_local_mail" type="omfile" file="/var/log/maillog") >> cron.* >> action(name="Action_local_cron" type="omfile" file="/var/log/cron") >> *.emerg >> action(name="Action_local_emerg" type="omusrmsg" users="*") >> uucp,news.crit >> action(name="Action_local_news" type="omfile" file="/var/log/spooler") >> local7.* >> action(name="Action_local_local7" type="omfile" file="/var/log/boot.log") >> syslog.info action(name="Action_SyslogStats" type="omfile" >> DynaFile="SyslogStats") >> syslog.info action(name="Action_SyslogStats" type="omfile" >> file="/var/log/syslog") >> } # End ruleset Local >> >> # Use ruleset Local as default >> $DefaultRuleset Ruleset_Local >> ### End local logging >> >> ### Remote logging >> ruleset (name="Ruleset_Remote" >> queue.type="linkedlist" >> queue.filename="RemoteRuleSetQueue" >> queue.size="8000000" >> queue.highwatermark="7000000" >> queue.lowwatermark="500000" >> queue.maxdiskspace="100G" >> queue.saveonshutdown="on" >> queue.workerthreads="4"){ >> >> # Action: Write to the first file share >> *.* action (name="Action_FirstFileShare" >> type="omfile" >> DynaFile="FirstProdFile" >> template="TemplateMessage" >> iobuffersize="262144" >> action.resumeretrycount="-1" >> queue.dequeuebatchsize="5000" >> queue.checkpointinterval="20000" >> queue.type="linkedlist" >> queue.timeoutenqueue="0" >> queue.filename="FirstProdShareActionQueue" >> queue.size="8000000" >> queue.highwatermark="7000000" >> queue.lowwatermark="500000" >> queue.maxdiskspace="100G" >> queue.saveonshutdown="on" >> queue.workerthreads="4" >> ) >> >> *.* @x.x.x.x:514 >> >> # Action: Write to the second file share >> *.* action (name="Action_FileShare2" >> type="omfile" >> DynaFile="SecondProdFile" >> template="TemplateMessage" >> iobuffersize="262144" >> action.resumeretrycount="-1" >> queue.dequeuebatchsize="5000" >> queue.checkpointinterval="20000" >> queue.type="linkedlist" >> queue.timeoutenqueue="0" >> queue.filename="SecondProdShareActionQueue" >> queue.size="8000000" >> queue.highwatermark="7000000" >> queue.lowwatermark="500000" >> queue.maxdiskspace="100G" >> queue.saveonshutdown="on" >> queue.workerthreads="4") >> >> } # End ruleset Remote >> >> ## Listeners ## >> # Bind ruleset to UDP listener >> input(inputname="RemoteUDP_514" type="imudp" port="514" >> ruleset="Ruleset_Remote") >> >> >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
