On Feb 19, 2014, at 8:33 AM, David Lang <[email protected]> wrote: > On Wed, 19 Feb 2014, Chris Mann wrote: > >> On Feb 18, 2014, at 8:08 PM, David Lang <[email protected]> wrote: >> >>> On Tue, 18 Feb 2014, Chris Mann wrote: >>> >>>> Hello all, >>>> >>>> I’m trying to send a custom log file that our program generates to the >>>> remote rsyslog server, with little to no luck. Ideally, I’d like to have >>>> that log sent to it’s own file and not mixed in with the syslog traffic. >>>> >>>> We’re using Ubuntu 12.04LTS >>> >>> So, if you are using the default version of rsyslog, this is old enough >>> that it's unsupported by the community (but your issue is probably not >>> version dependant), what version is running? >> >> I’m running v7 stable from the adiscon apt-get repo. > > Ok, that helps > >>> >>>> Server rsyslog server config: >>>> >>>> $ModLoad imuxsock # provides support for local system logging >>>> $ModLoad imklog # provides kernel logging support (previously done by >>>> rklogd) >>>> $ModLoad immark # provides --MARK-- message capability >>>> >>>> # provides UDP syslog reception >>>> #$ModLoad imudp >>>> #$UDPServerRun 514 >>>> >>>> # provides TCP syslog reception >>>> $ModLoad imtcp >>>> $InputTCPServerRun 10514 >>> >>> why use an odd port like this instead of using the standard 514 port? >> >> Just preference and as Rainer said, 514 is used by something else :). >> >>> >>>> $template DynaFile,"/var/log/remote/%HOSTNAME%.log" >>>> *.* -?DynaFile >>> >>> ok, this logs everything into per hostname files, with no filtering ahead >>> of it. >>> >>>> ########################### >>>> #### GLOBAL DIRECTIVES #### >>>> ########################### >>>> >>>> # >>>> # Use traditional timestamp format. >>>> # To enable high precision timestamps, comment out the following line. >>>> # >>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>>> >>>> # Filter duplicated messages >>>> $RepeatedMsgReduction on >>>> >>>> # >>>> # Set the default permissions for all log files. >>>> >>>> $FileOwner syslog >>>> $FileGroup adm >>>> $FileCreateMode 0640 >>>> $DirCreateMode 0755 >>>> $Umask 0022 >>>> $PrivDropToUser syslog >>>> $PrivDropToGroup adm >>>> >>>> # >>>> # Where to place spool files >>>> # >>>> $WorkDirectory /var/spool/rsyslog >>>> >>>> # >>>> # Include all config files in /etc/rsyslog.d/ >>>> # >>>> $IncludeConfig /etc/rsyslog.d/*.conf >>>> >>>> # This one is the template to generate the log filename dynamically, >>>> depending on the client's IP address. >>>> $template >>>> %RemoteHost,,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" >>> >>> this template is by hostname, not client IP, you would use %fromhost-ip% >>> instead of %hostname% if you want it by IP >>> >>> but it really doesn't matter since you don't have anything that uses this >>> template. I also think that you can't use % in a tempate name, and should >>> only have one , >>> >>> as a result, I'm pretty sure that you get errors about being unable to >>> parse the config file when you startup. >> >> Actually, I’m not getting any errors on start up. rsyslog starts up just >> fine. > > are you shure? double check that it's not logging anything about errors at > startup time. that line just doesn't look right. I also don't see any place > that you are trying to use this template.
Nothing in the log, honest: Feb 19 14:25:10 bundt rsyslogd: [origin software="rsyslogd" swVersion="7.4.10" x-pid="31532" x-info="http://www.rsyslog.com";] start Feb 19 14:25:10 bundt rsyslogd: rsyslogd's groupid changed to 4 Feb 19 14:25:10 bundt rsyslogd: rsyslogd's userid changed to 101 > >>> >>>> >>>> Client rsyslog config: >>>> >>>> # $ModLoad imfile >>>> $ModLoad imuxsock # provides support for local system logging >>>> $ModLoad imklog # provides kernel logging support (previously done by >>>> rklogd) >>>> # $ModLoad immark # provides --MARK-- message capability >>>> >>>> # Watch /var/log/ejabberd/ejabberd.log >>>> module(load="imfile" PollingInterval="10") >>>> input(type="imfile" >>>> File="/var/log/ejabberd/ejabberd.log" >>>> Tag="ejabberd:" >>>> StateFile="state-ejabberd" >>>> Severity="info" >>>> Facility="local6" >>>> ) >>>> >>>> # Provides UDP forwarding. The IP is the server's IP address >>>> # *.* @54.227.155.34:514 >>>> >>>> # Provides TCP forwarding. But the current server runs on UDP >>>> *.* @@devil.walkingservers.net:10514 >>>> >>>> # provides UDP syslog reception >>>> #$ModLoad imudp >>>> #$UDPServerRun 514 >>>> >>>> # provides TCP syslog reception >>>> #$ModLoad imtcp >>>> #$InputTCPServerRun 514 >>>> >>>> >>>> ########################### >>>> #### GLOBAL DIRECTIVES #### >>>> ########################### >>>> >>>> # >>>> # Use traditional timestamp format. >>>> # To enable high precision timestamps, comment out the following line. >>>> # >>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>>> >>>> # Filter duplicated messages >>>> $RepeatedMsgReduction on >>>> >>>> # >>>> # Set the default permissions for all log files. >>>> # >>>> $FileOwner syslog >>>> $FileGroup adm >>>> $FileCreateMode 0640 >>>> $DirCreateMode 0755 >>>> $Umask 0022 >>>> $PrivDropToUser syslog >>>> $PrivDropToGroup adm >>>> >>>> # >>>> # Where to place spool files >>>> # >>>> $WorkDirectory /var/spool/rsyslog >>>> >>>> # >>>> $IncludeConfig /etc/rsyslog.d/*.conf >>>> >>>> >>>> Can someone kick me in the direction of where I’m screwing up? >>> >>> In general, you should put global directives before any output. I don't >>> know if that matters or not >>> >>> I don't know of there is anything being added by the include lines. >>> >>> >>> so, this sends logs from the client to the server, using the default format >>> (because you haven't specified anything), and the server then writes them >>> to /var/log/<hostname>.log files >>> >>> now, you do set the logs you read from the file to the facility local6, so >>> you could filter on that on the server if you want them written separately >>> >>> but, what is it that you think should be happening with this config? and >>> what is actually happening? >> >> Long story short, I’d like the ejabberd.log file to go to >> /var/log/remotes/$hostname/ejabberd.log as well as have the remote syslog >> file go to the same place on the rsyslog server. I’ll fully admit, I’m new >> to rsyslog. I’ve tried the docs, but there seems to be such a vast way of >> doing things like this between v5 and v7, I’m all turned around and not sure >> exactly what the right way is. > > Ok, in this case, the easy thing to do on the server is > > $template ejabberd,"/var/log/remotes/%hostname%/ejabberd.log > if $syslogtag == "ejabberd:" then ?ejabberd > > this creates the template for the filename, then when it sees anything with > the syslog tag of ejabberd: (what you set on the client), it writes it to > that log. This will also show up in any other logs that have rules that match > this. If you don't want these logs to show up anywhere else, you can do > > if $syslogtag == "ejabberd:" then { ?ejabberd > stop } > > or, in v5 compatible language > > if $syslogtag == "ejabberd:" then ?ejabberd > & ~ > I must be extra slow and dense. I added this into the rsyslog.conf file, under the module loading bit, and still nothing showing up. Now that I think about it for a bit, the ejabberd.log has long entries. By that I mean, the entries are not one liners, but more multi line paragraphs. Would that bork what I’m trying to do? > when looking at the docs, what you will typically see is that the v7 format > groups all the parameters together in one statement, while the older format > requires that you set a bunch of parameters before each action, and some > parameters only affect the next action while others have longer lasting > effects. This can get rather confusing in complex setups, which is why the v7 > format added the new way of describing complex stuff. > > side note: you probably don't really want RepeatedMsgReduction turned on. > what that does is that if a system logs the same message repeatedly, instead > of showing all the messages, you get a log entry "last message repeated 13 > times", but it can be hard to figure out what that last message was (rsyslog > has an option that puts the beginning of that log message after the "last > message text"). Also, all the tools that you would use for alerting will want > to see the actual messages, "last message repeated" just confuses them. > > we should probably add to the documentation to discourage use of that > parameter. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
