are you on ubuntu? Their defaut config drops privileges, but the file system has wrong perms. Suggest to trx runniung as root, at least for a try.
Rainer On Wed, Feb 19, 2014 at 3:30 PM, Chris Mann <[email protected]> wrote: > > On Feb 19, 2014, at 8:33 AM, David Lang <[email protected]> wrote: > > > On Wed, 19 Feb 2014, Chris Mann wrote: > > > >> On Feb 18, 2014, at 8:08 PM, David Lang <[email protected]> wrote: > >> > >>> On Tue, 18 Feb 2014, Chris Mann wrote: > >>> > >>>> Hello all, > >>>> > >>>> I'm trying to send a custom log file that our program generates to > the remote rsyslog server, with little to no luck. Ideally, I'd like to > have that log sent to it's own file and not mixed in with the syslog > traffic. > >>>> > >>>> We're using Ubuntu 12.04LTS > >>> > >>> So, if you are using the default version of rsyslog, this is old > enough that it's unsupported by the community (but your issue is probably > not version dependant), what version is running? > >> > >> I'm running v7 stable from the adiscon apt-get repo. > > > > Ok, that helps > > > >>> > >>>> Server rsyslog server config: > >>>> > >>>> $ModLoad imuxsock # provides support for local system logging > >>>> $ModLoad imklog # provides kernel logging support (previously done > by rklogd) > >>>> $ModLoad immark # provides --MARK-- message capability > >>>> > >>>> # provides UDP syslog reception > >>>> #$ModLoad imudp > >>>> #$UDPServerRun 514 > >>>> > >>>> # provides TCP syslog reception > >>>> $ModLoad imtcp > >>>> $InputTCPServerRun 10514 > >>> > >>> why use an odd port like this instead of using the standard 514 port? > >> > >> Just preference and as Rainer said, 514 is used by something else :). > >> > >>> > >>>> $template DynaFile,"/var/log/remote/%HOSTNAME%.log" > >>>> *.* -?DynaFile > >>> > >>> ok, this logs everything into per hostname files, with no filtering > ahead of it. > >>> > >>>> ########################### > >>>> #### GLOBAL DIRECTIVES #### > >>>> ########################### > >>>> > >>>> # > >>>> # Use traditional timestamp format. > >>>> # To enable high precision timestamps, comment out the following line. > >>>> # > >>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >>>> > >>>> # Filter duplicated messages > >>>> $RepeatedMsgReduction on > >>>> > >>>> # > >>>> # Set the default permissions for all log files. > >>>> > >>>> $FileOwner syslog > >>>> $FileGroup adm > >>>> $FileCreateMode 0640 > >>>> $DirCreateMode 0755 > >>>> $Umask 0022 > >>>> $PrivDropToUser syslog > >>>> $PrivDropToGroup adm > >>>> > >>>> # > >>>> # Where to place spool files > >>>> # > >>>> $WorkDirectory /var/spool/rsyslog > >>>> > >>>> # > >>>> # Include all config files in /etc/rsyslog.d/ > >>>> # > >>>> $IncludeConfig /etc/rsyslog.d/*.conf > >>>> > >>>> # This one is the template to generate the log filename dynamically, > depending on the client's IP address. > >>>> $template > %RemoteHost,,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" > >>> > >>> this template is by hostname, not client IP, you would use > %fromhost-ip% instead of %hostname% if you want it by IP > >>> > >>> but it really doesn't matter since you don't have anything that uses > this template. I also think that you can't use % in a tempate name, and > should only have one , > >>> > >>> as a result, I'm pretty sure that you get errors about being unable to > parse the config file when you startup. > >> > >> Actually, I'm not getting any errors on start up. rsyslog starts up > just fine. > > > > are you shure? double check that it's not logging anything about errors > at startup time. that line just doesn't look right. I also don't see any > place that you are trying to use this template. > > Nothing in the log, honest: > > Feb 19 14:25:10 bundt rsyslogd: [origin software="rsyslogd" > swVersion="7.4.10" x-pid="31532" x-info="http://www.rsyslog.com";] start > Feb 19 14:25:10 bundt rsyslogd: rsyslogd's groupid changed to 4 > Feb 19 14:25:10 bundt rsyslogd: rsyslogd's userid changed to 101 > > > > >>> > >>>> > >>>> Client rsyslog config: > >>>> > >>>> # $ModLoad imfile > >>>> $ModLoad imuxsock # provides support for local system logging > >>>> $ModLoad imklog # provides kernel logging support (previously done > by rklogd) > >>>> # $ModLoad immark # provides --MARK-- message capability > >>>> > >>>> # Watch /var/log/ejabberd/ejabberd.log > >>>> module(load="imfile" PollingInterval="10") > >>>> input(type="imfile" > >>>> File="/var/log/ejabberd/ejabberd.log" > >>>> Tag="ejabberd:" > >>>> StateFile="state-ejabberd" > >>>> Severity="info" > >>>> Facility="local6" > >>>> ) > >>>> > >>>> # Provides UDP forwarding. The IP is the server's IP address > >>>> # *.* @54.227.155.34:514 > >>>> > >>>> # Provides TCP forwarding. But the current server runs on UDP > >>>> *.* @@devil.walkingservers.net:10514 > >>>> > >>>> # provides UDP syslog reception > >>>> #$ModLoad imudp > >>>> #$UDPServerRun 514 > >>>> > >>>> # provides TCP syslog reception > >>>> #$ModLoad imtcp > >>>> #$InputTCPServerRun 514 > >>>> > >>>> > >>>> ########################### > >>>> #### GLOBAL DIRECTIVES #### > >>>> ########################### > >>>> > >>>> # > >>>> # Use traditional timestamp format. > >>>> # To enable high precision timestamps, comment out the following line. > >>>> # > >>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >>>> > >>>> # Filter duplicated messages > >>>> $RepeatedMsgReduction on > >>>> > >>>> # > >>>> # Set the default permissions for all log files. > >>>> # > >>>> $FileOwner syslog > >>>> $FileGroup adm > >>>> $FileCreateMode 0640 > >>>> $DirCreateMode 0755 > >>>> $Umask 0022 > >>>> $PrivDropToUser syslog > >>>> $PrivDropToGroup adm > >>>> > >>>> # > >>>> # Where to place spool files > >>>> # > >>>> $WorkDirectory /var/spool/rsyslog > >>>> > >>>> # > >>>> $IncludeConfig /etc/rsyslog.d/*.conf > >>>> > >>>> > >>>> Can someone kick me in the direction of where I'm screwing up? > >>> > >>> In general, you should put global directives before any output. I > don't know if that matters or not > >>> > >>> I don't know of there is anything being added by the include lines. > >>> > >>> > >>> so, this sends logs from the client to the server, using the default > format (because you haven't specified anything), and the server then writes > them to /var/log/<hostname>.log files > >>> > >>> now, you do set the logs you read from the file to the facility > local6, so you could filter on that on the server if you want them written > separately > >>> > >>> but, what is it that you think should be happening with this config? > and what is actually happening? > >> > >> Long story short, I'd like the ejabberd.log file to go to > /var/log/remotes/$hostname/ejabberd.log as well as have the remote syslog > file go to the same place on the rsyslog server. I'll fully admit, I'm new > to rsyslog. I've tried the docs, but there seems to be such a vast way of > doing things like this between v5 and v7, I'm all turned around and not > sure exactly what the right way is. > > > > Ok, in this case, the easy thing to do on the server is > > > > $template ejabberd,"/var/log/remotes/%hostname%/ejabberd.log > > if $syslogtag == "ejabberd:" then ?ejabberd > > > > this creates the template for the filename, then when it sees anything > with the syslog tag of ejabberd: (what you set on the client), it writes it > to that log. This will also show up in any other logs that have rules that > match this. If you don't want these logs to show up anywhere else, you can > do > > > > if $syslogtag == "ejabberd:" then { ?ejabberd > > stop } > > > > or, in v5 compatible language > > > > if $syslogtag == "ejabberd:" then ?ejabberd > > & ~ > > > > I must be extra slow and dense. I added this into the rsyslog.conf file, > under the module loading bit, and still nothing showing up. Now that I > think about it for a bit, the ejabberd.log has long entries. By that I > mean, the entries are not one liners, but more multi line paragraphs. Would > that bork what I'm trying to do? > > > > > when looking at the docs, what you will typically see is that the v7 > format groups all the parameters together in one statement, while the older > format requires that you set a bunch of parameters before each action, and > some parameters only affect the next action while others have longer > lasting effects. This can get rather confusing in complex setups, which is > why the v7 format added the new way of describing complex stuff. > > > > side note: you probably don't really want RepeatedMsgReduction turned > on. what that does is that if a system logs the same message repeatedly, > instead of showing all the messages, you get a log entry "last message > repeated 13 times", but it can be hard to figure out what that last message > was (rsyslog has an option that puts the beginning of that log message > after the "last message text"). Also, all the tools that you would use for > alerting will want to see the actual messages, "last message repeated" just > confuses them. > > > > we should probably add to the documentation to discourage use of that > parameter. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
