Thanks!
Robert
From: [email protected]
To: [email protected]
Date: Thu, 5 Sep 2013 15:39:45 -0700
Subject: Re: [rsyslog] v7.4.4 and omfwd?
Interestingly, if I switch my v7 action(type=) command to tcp/port
10514, it forwards fine, even with all the queuing config, etc., which
makes me really stumped, now. :| I've verified that there's no firewall in
the way (disabled via iptables), and the exact same tcpdump commands work
to display the outgoing traffic on my production box running 5.8.10.
Does anyone else have omfwd working in 7.4.4 over UDP?
Thanks!
Robert
From: [email protected]
To: [email protected]
Date: Thu, 5 Sep 2013 15:12:45 -0700
Subject: Re: [rsyslog] v7.4.4 and omfwd?
No luck. Removed the *.* and all queue config for the action in the
v7 action, and still does the same thing. I've captured a debug log, but
am loathe to send it out since it contains the actual syslog events. Can
you suggest things to look for in it?
Thanks!
Robert
To: [email protected]
From: [email protected]
Date: Thu, 5 Sep 2013 14:59:30 -0700
Subject: Re: [rsyslog] v7.4.4 and omfwd?
Thanks. That particular statement (with the port and *.*) works
fine under 5.8.x, but I'll make this change and try it.
Thanks!
Robert
________________________________
From: David Lang<mailto:[email protected]>
Sent: 9/5/2013 2:50 PM
To: rsyslog-users<mailto:[email protected]>
Subject: Re: [rsyslog] v7.4.4 and omfwd?
by the way, with v7 you don't have to put in *.* you can just put
the action
@x.x.x.x
action(whatever)
instead of
*.* @x.x.x.x
*.* action(whatever)
David Lang
On Thu, 5 Sep 2013, Robert McIntyre wrote:
Date: Thu, 5 Sep 2013 14:45:47 -0700
From: Robert McIntyre <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] v7.4.4 and omfwd?
Thanks. I've stripped out everything but the ruleset queue, and
the new format action, and it's still doing the same thing. It's not
queuing up, but still nothing hitting the wire. I'll pull the queue stuff
as well, just in case.
Thanks!
Robert
________________________________
From: David Lang<mailto:[email protected]>
Sent: ?9/?5/?2013 2:30 PM
To: rsyslog-users<mailto:[email protected]>
Subject: Re: [rsyslog] v7.4.4 and omfwd?
for the legacy action you hsould not need to specify the port. Try
that and see
if it works
Then I would say try the new format , but simplify it, drop all he
queue stuff
and then work up from there.
David Lang
On Thu, 5 Sep 2013, Robert McIntyre wrote:
Date: Thu, 5 Sep 2013 13:15:29 -0700
From: Robert McIntyre <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Re: [rsyslog] v7.4.4 and omfwd?
A bit more info. When using the legacy action (*.*
@x.x.x.x:514), it shows as being processed fine, but not traffic on the
wire. When I use the action(type="omfwd"...) with a queue, it shows the
queue as expanding, but nothing going out.
The full omfwd action config is:
*.* action(name="Action_FwdReceiver1"
type="omfwd"
target="x.x.x.x"
protocol="udp"
port="514"
action.resumeretrycount="-1"
queue.dequeuebatchsize="500"
queue.checkpointinterval="20000"
queue.type="linkedlist"
queue.timeoutenqueue="0"
queue.filename="FwdReceiver1ActionQueue"
queue.size="8000000"
queue.highwatermark="7000000"
queue.lowwatermark="500000"
queue.maxdiskspace="100G"
queue.saveonshutdown="on")
Thanks!
Robert
From: [email protected]
To: [email protected]
Date: Thu, 5 Sep 2013 12:22:44 -0700
Subject: [rsyslog] v7.4.4 and omfwd?
I'm trying to get the last of my v7 migration done, and am
testing the omfwd action, and it doesn't seem to be working at all.
I've pasted most of my config below. What I see is the ruleset
catches the messages, and hands them off to the queues. The action even
reports that it has processed all the forwards, but TCPDUMP, and monitoring
the outgoing traffic doesn't have any of the outgoing forwards. The other
actions (writes to file shares) seem to be working properly.
This repros whether I use the old forward action format (shown
below), or the newer action(type="omfwd"...) format.
Hoping someone can tell me what I'm missing. :)
Thanks!
Robert
# rsyslog v7 configuration file
# For more information see
/usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
# NetSec Syslog Server config file v3.0 : See the end of the
file for revision information
#### MODULES ####
module(load="impstats" interval="300") # Provides periodic
performance statistics (this must be the first thing in rsyslog.conf)
module(load="imuxsock") # Provides support for local system
logging (e.g. via logger command)
module(load="imklog") # Provides kernel logging support
(previously done by rklogd)
module(load="imudp" timerequery="10000")# Provides UDP syslog
reception
#module(load="imptcp") # Provides TCP syslog reception
#module(load="immark") # Provides --MARK-- message
capability
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Don't escape control characters
$EscapeControlCharactersOnReceive off
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Set the working directory for disk buffers
$WorkDirectory /syslogdata/buffer
#### TEMPLATES ####
# Filenames
template (name="FirstProdFile" type="string"
string="/firstprodshare/test/AP/%msg:F,32:3%-%$YEAR%-%$MONTH%-%$DAY%T%$HOUR%.%$QHOUR%")
template (name="SecondProdFile" type="string"
string="/secondprodshare/test/CS/%msg:F,32:3%-%$YEAR%-%$MONTH%-%$DAY%T%$HOUR%.%$QHOUR%")
template (name="SyslogStats" type="string"
string="/firstprodshare/00/syslogstats/%$YEAR%-%$MONTH%-%$DAY%-%$myhostname%-stats.txt")
# Messages
template (name="TemplateMessage" type="string"
string="<%PRI%>%syslogtag%%msg%\n")
#### MAIN MESSAGE QUEUE ####
# Establish the Main Message Queue
$MainMsgQueueFileName MainQueue
$MainMsgQueueSize 8000000
$MainMsgQueueHighWaterMark 7000000
$MainMsgQueueLowWaterMark 500000
$MainMsgQueueMaxFileSize 100G
$MainMsgQueueSaveOnShutdown on
$MainMsgQueueType LinkedList
$MainMsgQueueWorkerThreads 4
$MainMsgQueueCheckpointInterval 20000
#### RULES ####
### Local logging
ruleset(name="Ruleset_Local"){
kern.*
action(name="Action_local_kern" type="omfile" file="/var/log/messages")
*.info;mail.none;authpriv.none;cron.none;syslog.none
action(name="Action_local_info" type="omfile" file="/var/log/messages")
authpriv.*
action(name="Action_local_authpriv" type="omfile" file="/var/log/secure")
mail.*
action(name="Action_local_mail" type="omfile" file="/var/log/maillog")
cron.*
action(name="Action_local_cron" type="omfile" file="/var/log/cron")
*.emerg
action(name="Action_local_emerg" type="omusrmsg" users="*")
uucp,news.crit
action(name="Action_local_news" type="omfile" file="/var/log/spooler")
local7.*
action(name="Action_local_local7" type="omfile" file="/var/log/boot.log")
syslog.info action(name="Action_SyslogStats"
type="omfile" DynaFile="SyslogStats")
syslog.info action(name="Action_SyslogStats"
type="omfile" file="/var/log/syslog")
} # End ruleset Local
# Use ruleset Local as default
$DefaultRuleset Ruleset_Local
### End local logging
### Remote logging
ruleset (name="Ruleset_Remote"
queue.type="linkedlist"
queue.filename="RemoteRuleSetQueue"
queue.size="8000000"
queue.highwatermark="7000000"
queue.lowwatermark="500000"
queue.maxdiskspace="100G"
queue.saveonshutdown="on"
queue.workerthreads="4"){
# Action: Write to the first file share
*.* action (name="Action_FirstFileShare"
type="omfile"
DynaFile="FirstProdFile"
template="TemplateMessage"
iobuffersize="262144"
action.resumeretrycount="-1"
queue.dequeuebatchsize="5000"
queue.checkpointinterval="20000"
queue.type="linkedlist"
queue.timeoutenqueue="0"
queue.filename="FirstProdShareActionQueue"
queue.size="8000000"
queue.highwatermark="7000000"
queue.lowwatermark="500000"
queue.maxdiskspace="100G"
queue.saveonshutdown="on"
queue.workerthreads="4"
)
*.* @x.x.x.x:514
# Action: Write to the second file share
*.* action (name="Action_FileShare2"
type="omfile"
DynaFile="SecondProdFile"
template="TemplateMessage"
iobuffersize="262144"
action.resumeretrycount="-1"
queue.dequeuebatchsize="5000"
queue.checkpointinterval="20000"
queue.type="linkedlist"
queue.timeoutenqueue="0"
queue.filename="SecondProdShareActionQueue"
queue.size="8000000"
queue.highwatermark="7000000"
queue.lowwatermark="500000"
queue.maxdiskspace="100G"
queue.saveonshutdown="on"
queue.workerthreads="4")
} # End ruleset Remote
## Listeners ##
# Bind ruleset to UDP listener
input(inputname="RemoteUDP_514" type="imudp" port="514"
ruleset="Ruleset_Remote")
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
