Thanks. That particular statement (with the port and *.*) works fine under 5.8.x, but I'll make this change and try it.
Thanks! Robert ________________________________ From: David Lang<mailto:[email protected]> Sent: 9/5/2013 2:50 PM To: rsyslog-users<mailto:[email protected]> Subject: Re: [rsyslog] v7.4.4 and omfwd? by the way, with v7 you don't have to put in *.* you can just put the action @x.x.x.x action(whatever) instead of *.* @x.x.x.x *.* action(whatever) David Lang On Thu, 5 Sep 2013, Robert McIntyre wrote: > Date: Thu, 5 Sep 2013 14:45:47 -0700 > From: Robert McIntyre <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] v7.4.4 and omfwd? > > Thanks. I've stripped out everything but the ruleset queue, and the new > format action, and it's still doing the same thing. It's not queuing up, but > still nothing hitting the wire. I'll pull the queue stuff as well, just in > case. > > Thanks! > Robert > ________________________________ > From: David Lang<mailto:[email protected]> > Sent: ?9/?5/?2013 2:30 PM > To: rsyslog-users<mailto:[email protected]> > Subject: Re: [rsyslog] v7.4.4 and omfwd? > > for the legacy action you hsould not need to specify the port. Try that and > see > if it works > > Then I would say try the new format , but simplify it, drop all he queue stuff > and then work up from there. > > David Lang > > > > On Thu, 5 Sep 2013, Robert McIntyre wrote: > >> Date: Thu, 5 Sep 2013 13:15:29 -0700 >> From: Robert McIntyre <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: "[email protected]" <[email protected]> >> Subject: Re: [rsyslog] v7.4.4 and omfwd? >> >> A bit more info. When using the legacy action (*.* @x.x.x.x:514), it shows >> as being processed fine, but not traffic on the wire. When I use the >> action(type="omfwd"...) with a queue, it shows the queue as expanding, but >> nothing going out. >> >> The full omfwd action config is: >> >> *.* action(name="Action_FwdReceiver1" >> type="omfwd" >> target="x.x.x.x" >> protocol="udp" >> port="514" >> action.resumeretrycount="-1" >> queue.dequeuebatchsize="500" >> queue.checkpointinterval="20000" >> queue.type="linkedlist" >> queue.timeoutenqueue="0" >> queue.filename="FwdReceiver1ActionQueue" >> queue.size="8000000" >> queue.highwatermark="7000000" >> queue.lowwatermark="500000" >> queue.maxdiskspace="100G" >> queue.saveonshutdown="on") >> >> Thanks! >> Robert >> >>> From: [email protected] >>> To: [email protected] >>> Date: Thu, 5 Sep 2013 12:22:44 -0700 >>> Subject: [rsyslog] v7.4.4 and omfwd? >>> >>> I'm trying to get the last of my v7 migration done, and am testing the >>> omfwd action, and it doesn't seem to be working at all. >>> >>> I've pasted most of my config below. What I see is the ruleset catches the >>> messages, and hands them off to the queues. The action even reports that >>> it has processed all the forwards, but TCPDUMP, and monitoring the outgoing >>> traffic doesn't have any of the outgoing forwards. The other actions >>> (writes to file shares) seem to be working properly. >>> >>> This repros whether I use the old forward action format (shown below), or >>> the newer action(type="omfwd"...) format. >>> >>> Hoping someone can tell me what I'm missing. :) >>> >>> Thanks! >>> Robert >>> >>> # rsyslog v7 configuration file >>> # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html >>> # If you experience problems, see >>> http://www.rsyslog.com/doc/troubleshoot.html >>> # NetSec Syslog Server config file v3.0 : See the end of the file for >>> revision information >>> >>> #### MODULES #### >>> module(load="impstats" interval="300") # Provides periodic performance >>> statistics (this must be the first thing in rsyslog.conf) >>> module(load="imuxsock") # Provides support for local system logging >>> (e.g. via logger command) >>> module(load="imklog") # Provides kernel logging support (previously >>> done by rklogd) >>> module(load="imudp" timerequery="10000")# Provides UDP syslog reception >>> #module(load="imptcp") # Provides TCP syslog reception >>> #module(load="immark") # Provides --MARK-- message capability >>> >>> #### GLOBAL DIRECTIVES #### >>> # Use default timestamp format >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>> # Don't escape control characters >>> $EscapeControlCharactersOnReceive off >>> # Include all config files in /etc/rsyslog.d/ >>> $IncludeConfig /etc/rsyslog.d/*.conf >>> # Set the working directory for disk buffers >>> $WorkDirectory /syslogdata/buffer >>> >>> #### TEMPLATES #### >>> # Filenames >>> template (name="FirstProdFile" type="string" >>> string="/firstprodshare/test/AP/%msg:F,32:3%-%$YEAR%-%$MONTH%-%$DAY%T%$HOUR%.%$QHOUR%") >>> template (name="SecondProdFile" type="string" >>> string="/secondprodshare/test/CS/%msg:F,32:3%-%$YEAR%-%$MONTH%-%$DAY%T%$HOUR%.%$QHOUR%") >>> template (name="SyslogStats" type="string" >>> string="/firstprodshare/00/syslogstats/%$YEAR%-%$MONTH%-%$DAY%-%$myhostname%-stats.txt") >>> >>> # Messages >>> template (name="TemplateMessage" type="string" >>> string="<%PRI%>%syslogtag%%msg%\n") >>> >>> #### MAIN MESSAGE QUEUE #### >>> # Establish the Main Message Queue >>> $MainMsgQueueFileName MainQueue >>> $MainMsgQueueSize 8000000 >>> $MainMsgQueueHighWaterMark 7000000 >>> $MainMsgQueueLowWaterMark 500000 >>> $MainMsgQueueMaxFileSize 100G >>> $MainMsgQueueSaveOnShutdown on >>> $MainMsgQueueType LinkedList >>> $MainMsgQueueWorkerThreads 4 >>> $MainMsgQueueCheckpointInterval 20000 >>> >>> #### RULES #### >>> ### Local logging >>> ruleset(name="Ruleset_Local"){ >>> kern.* >>> action(name="Action_local_kern" type="omfile" file="/var/log/messages") >>> *.info;mail.none;authpriv.none;cron.none;syslog.none >>> action(name="Action_local_info" type="omfile" file="/var/log/messages") >>> authpriv.* >>> action(name="Action_local_authpriv" type="omfile" file="/var/log/secure") >>> mail.* >>> action(name="Action_local_mail" type="omfile" file="/var/log/maillog") >>> cron.* >>> action(name="Action_local_cron" type="omfile" file="/var/log/cron") >>> *.emerg >>> action(name="Action_local_emerg" type="omusrmsg" users="*") >>> uucp,news.crit >>> action(name="Action_local_news" type="omfile" file="/var/log/spooler") >>> local7.* >>> action(name="Action_local_local7" type="omfile" file="/var/log/boot.log") >>> syslog.info action(name="Action_SyslogStats" type="omfile" >>> DynaFile="SyslogStats") >>> syslog.info action(name="Action_SyslogStats" type="omfile" >>> file="/var/log/syslog") >>> } # End ruleset Local >>> >>> # Use ruleset Local as default >>> $DefaultRuleset Ruleset_Local >>> ### End local logging >>> >>> ### Remote logging >>> ruleset (name="Ruleset_Remote" >>> queue.type="linkedlist" >>> queue.filename="RemoteRuleSetQueue" >>> queue.size="8000000" >>> queue.highwatermark="7000000" >>> queue.lowwatermark="500000" >>> queue.maxdiskspace="100G" >>> queue.saveonshutdown="on" >>> queue.workerthreads="4"){ >>> >>> # Action: Write to the first file share >>> *.* action (name="Action_FirstFileShare" >>> type="omfile" >>> DynaFile="FirstProdFile" >>> template="TemplateMessage" >>> iobuffersize="262144" >>> action.resumeretrycount="-1" >>> queue.dequeuebatchsize="5000" >>> queue.checkpointinterval="20000" >>> queue.type="linkedlist" >>> queue.timeoutenqueue="0" >>> queue.filename="FirstProdShareActionQueue" >>> queue.size="8000000" >>> queue.highwatermark="7000000" >>> queue.lowwatermark="500000" >>> queue.maxdiskspace="100G" >>> queue.saveonshutdown="on" >>> queue.workerthreads="4" >>> ) >>> >>> *.* @x.x.x.x:514 >>> >>> # Action: Write to the second file share >>> *.* action (name="Action_FileShare2" >>> type="omfile" >>> DynaFile="SecondProdFile" >>> template="TemplateMessage" >>> iobuffersize="262144" >>> action.resumeretrycount="-1" >>> queue.dequeuebatchsize="5000" >>> queue.checkpointinterval="20000" >>> queue.type="linkedlist" >>> queue.timeoutenqueue="0" >>> queue.filename="SecondProdShareActionQueue" >>> queue.size="8000000" >>> queue.highwatermark="7000000" >>> queue.lowwatermark="500000" >>> queue.maxdiskspace="100G" >>> queue.saveonshutdown="on" >>> queue.workerthreads="4") >>> >>> } # End ruleset Remote >>> >>> ## Listeners ## >>> # Bind ruleset to UDP listener >>> input(inputname="RemoteUDP_514" type="imudp" port="514" >>> ruleset="Ruleset_Remote") >>> >>> >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
