Update: I got it working, the changes I made in the config file that I posted here worked. I just had to comment out the drop privs part of the config file on the client server. Life is good.
Silly Ubuntu. Thanks for all your help David and Rainer! On Feb 19, 2014, at 10:02 AM, David Lang <[email protected]> wrote: > On Wed, 19 Feb 2014, Rainer Gerhards wrote: > >> are you on ubuntu? Their defaut config drops privileges, but the file >> system has wrong perms. Suggest to trx runniung as root, at least for a try. > > good point, is this something we can fix in the PPA? > > David Lang > >> >> Rainer >> >> >> On Wed, Feb 19, 2014 at 3:30 PM, Chris Mann <[email protected]> wrote: >> >>> >>> On Feb 19, 2014, at 8:33 AM, David Lang <[email protected]> wrote: >>> >>>> On Wed, 19 Feb 2014, Chris Mann wrote: >>>> >>>>> On Feb 18, 2014, at 8:08 PM, David Lang <[email protected]> wrote: >>>>> >>>>>> On Tue, 18 Feb 2014, Chris Mann wrote: >>>>>> >>>>>>> Hello all, >>>>>>> >>>>>>> I'm trying to send a custom log file that our program generates to >>> the remote rsyslog server, with little to no luck. Ideally, I'd like to >>> have that log sent to it's own file and not mixed in with the syslog >>> traffic. >>>>>>> >>>>>>> We're using Ubuntu 12.04LTS >>>>>> >>>>>> So, if you are using the default version of rsyslog, this is old >>> enough that it's unsupported by the community (but your issue is probably >>> not version dependant), what version is running? >>>>> >>>>> I'm running v7 stable from the adiscon apt-get repo. >>>> >>>> Ok, that helps >>>> >>>>>> >>>>>>> Server rsyslog server config: >>>>>>> >>>>>>> $ModLoad imuxsock # provides support for local system logging >>>>>>> $ModLoad imklog # provides kernel logging support (previously done >>> by rklogd) >>>>>>> $ModLoad immark # provides --MARK-- message capability >>>>>>> >>>>>>> # provides UDP syslog reception >>>>>>> #$ModLoad imudp >>>>>>> #$UDPServerRun 514 >>>>>>> >>>>>>> # provides TCP syslog reception >>>>>>> $ModLoad imtcp >>>>>>> $InputTCPServerRun 10514 >>>>>> >>>>>> why use an odd port like this instead of using the standard 514 port? >>>>> >>>>> Just preference and as Rainer said, 514 is used by something else :). >>>>> >>>>>> >>>>>>> $template DynaFile,"/var/log/remote/%HOSTNAME%.log" >>>>>>> *.* -?DynaFile >>>>>> >>>>>> ok, this logs everything into per hostname files, with no filtering >>> ahead of it. >>>>>> >>>>>>> ########################### >>>>>>> #### GLOBAL DIRECTIVES #### >>>>>>> ########################### >>>>>>> >>>>>>> # >>>>>>> # Use traditional timestamp format. >>>>>>> # To enable high precision timestamps, comment out the following line. >>>>>>> # >>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>>>>>> >>>>>>> # Filter duplicated messages >>>>>>> $RepeatedMsgReduction on >>>>>>> >>>>>>> # >>>>>>> # Set the default permissions for all log files. >>>>>>> >>>>>>> $FileOwner syslog >>>>>>> $FileGroup adm >>>>>>> $FileCreateMode 0640 >>>>>>> $DirCreateMode 0755 >>>>>>> $Umask 0022 >>>>>>> $PrivDropToUser syslog >>>>>>> $PrivDropToGroup adm >>>>>>> >>>>>>> # >>>>>>> # Where to place spool files >>>>>>> # >>>>>>> $WorkDirectory /var/spool/rsyslog >>>>>>> >>>>>>> # >>>>>>> # Include all config files in /etc/rsyslog.d/ >>>>>>> # >>>>>>> $IncludeConfig /etc/rsyslog.d/*.conf >>>>>>> >>>>>>> # This one is the template to generate the log filename dynamically, >>> depending on the client's IP address. >>>>>>> $template >>> %RemoteHost,,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" >>>>>> >>>>>> this template is by hostname, not client IP, you would use >>> %fromhost-ip% instead of %hostname% if you want it by IP >>>>>> >>>>>> but it really doesn't matter since you don't have anything that uses >>> this template. I also think that you can't use % in a tempate name, and >>> should only have one , >>>>>> >>>>>> as a result, I'm pretty sure that you get errors about being unable to >>> parse the config file when you startup. >>>>> >>>>> Actually, I'm not getting any errors on start up. rsyslog starts up >>> just fine. >>>> >>>> are you shure? double check that it's not logging anything about errors >>> at startup time. that line just doesn't look right. I also don't see any >>> place that you are trying to use this template. >>> >>> Nothing in the log, honest: >>> >>> Feb 19 14:25:10 bundt rsyslogd: [origin software="rsyslogd" >>> swVersion="7.4.10" x-pid="31532" x-info="http://www.rsyslog.com";] start >>> Feb 19 14:25:10 bundt rsyslogd: rsyslogd's groupid changed to 4 >>> Feb 19 14:25:10 bundt rsyslogd: rsyslogd's userid changed to 101 >>> >>>> >>>>>> >>>>>>> >>>>>>> Client rsyslog config: >>>>>>> >>>>>>> # $ModLoad imfile >>>>>>> $ModLoad imuxsock # provides support for local system logging >>>>>>> $ModLoad imklog # provides kernel logging support (previously done >>> by rklogd) >>>>>>> # $ModLoad immark # provides --MARK-- message capability >>>>>>> >>>>>>> # Watch /var/log/ejabberd/ejabberd.log >>>>>>> module(load="imfile" PollingInterval="10") >>>>>>> input(type="imfile" >>>>>>> File="/var/log/ejabberd/ejabberd.log" >>>>>>> Tag="ejabberd:" >>>>>>> StateFile="state-ejabberd" >>>>>>> Severity="info" >>>>>>> Facility="local6" >>>>>>> ) >>>>>>> >>>>>>> # Provides UDP forwarding. The IP is the server's IP address >>>>>>> # *.* @54.227.155.34:514 >>>>>>> >>>>>>> # Provides TCP forwarding. But the current server runs on UDP >>>>>>> *.* @@devil.walkingservers.net:10514 >>>>>>> >>>>>>> # provides UDP syslog reception >>>>>>> #$ModLoad imudp >>>>>>> #$UDPServerRun 514 >>>>>>> >>>>>>> # provides TCP syslog reception >>>>>>> #$ModLoad imtcp >>>>>>> #$InputTCPServerRun 514 >>>>>>> >>>>>>> >>>>>>> ########################### >>>>>>> #### GLOBAL DIRECTIVES #### >>>>>>> ########################### >>>>>>> >>>>>>> # >>>>>>> # Use traditional timestamp format. >>>>>>> # To enable high precision timestamps, comment out the following line. >>>>>>> # >>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>>>>>> >>>>>>> # Filter duplicated messages >>>>>>> $RepeatedMsgReduction on >>>>>>> >>>>>>> # >>>>>>> # Set the default permissions for all log files. >>>>>>> # >>>>>>> $FileOwner syslog >>>>>>> $FileGroup adm >>>>>>> $FileCreateMode 0640 >>>>>>> $DirCreateMode 0755 >>>>>>> $Umask 0022 >>>>>>> $PrivDropToUser syslog >>>>>>> $PrivDropToGroup adm >>>>>>> >>>>>>> # >>>>>>> # Where to place spool files >>>>>>> # >>>>>>> $WorkDirectory /var/spool/rsyslog >>>>>>> >>>>>>> # >>>>>>> $IncludeConfig /etc/rsyslog.d/*.conf >>>>>>> >>>>>>> >>>>>>> Can someone kick me in the direction of where I'm screwing up? >>>>>> >>>>>> In general, you should put global directives before any output. I >>> don't know if that matters or not >>>>>> >>>>>> I don't know of there is anything being added by the include lines. >>>>>> >>>>>> >>>>>> so, this sends logs from the client to the server, using the default >>> format (because you haven't specified anything), and the server then writes >>> them to /var/log/<hostname>.log files >>>>>> >>>>>> now, you do set the logs you read from the file to the facility >>> local6, so you could filter on that on the server if you want them written >>> separately >>>>>> >>>>>> but, what is it that you think should be happening with this config? >>> and what is actually happening? >>>>> >>>>> Long story short, I'd like the ejabberd.log file to go to >>> /var/log/remotes/$hostname/ejabberd.log as well as have the remote syslog >>> file go to the same place on the rsyslog server. I'll fully admit, I'm new >>> to rsyslog. I've tried the docs, but there seems to be such a vast way of >>> doing things like this between v5 and v7, I'm all turned around and not >>> sure exactly what the right way is. >>>> >>>> Ok, in this case, the easy thing to do on the server is >>>> >>>> $template ejabberd,"/var/log/remotes/%hostname%/ejabberd.log >>>> if $syslogtag == "ejabberd:" then ?ejabberd >>>> >>>> this creates the template for the filename, then when it sees anything >>> with the syslog tag of ejabberd: (what you set on the client), it writes it >>> to that log. This will also show up in any other logs that have rules that >>> match this. If you don't want these logs to show up anywhere else, you can >>> do >>>> >>>> if $syslogtag == "ejabberd:" then { ?ejabberd >>>> stop } >>>> >>>> or, in v5 compatible language >>>> >>>> if $syslogtag == "ejabberd:" then ?ejabberd >>>> & ~ >>>> >>> >>> I must be extra slow and dense. I added this into the rsyslog.conf file, >>> under the module loading bit, and still nothing showing up. Now that I >>> think about it for a bit, the ejabberd.log has long entries. By that I >>> mean, the entries are not one liners, but more multi line paragraphs. Would >>> that bork what I'm trying to do? >>> >>> >>> >>>> when looking at the docs, what you will typically see is that the v7 >>> format groups all the parameters together in one statement, while the older >>> format requires that you set a bunch of parameters before each action, and >>> some parameters only affect the next action while others have longer >>> lasting effects. This can get rather confusing in complex setups, which is >>> why the v7 format added the new way of describing complex stuff. >>>> >>>> side note: you probably don't really want RepeatedMsgReduction turned >>> on. what that does is that if a system logs the same message repeatedly, >>> instead of showing all the messages, you get a log entry "last message >>> repeated 13 times", but it can be hard to figure out what that last message >>> was (rsyslog has an option that puts the beginning of that log message >>> after the "last message text"). Also, all the tools that you would use for >>> alerting will want to see the actual messages, "last message repeated" just >>> confuses them. >>>> >>>> we should probably add to the documentation to discourage use of that >>> parameter. >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
