On Wed, Feb 19, 2014 at 4:02 PM, David Lang <[email protected]> wrote: > On Wed, 19 Feb 2014, Rainer Gerhards wrote: > > are you on ubuntu? Their defaut config drops privileges, but the file >> system has wrong perms. Suggest to trx runniung as root, at least for a >> try. >> > > good point, is this something we can fix in the PPA? > > partly... the real problem is that other packages (like logrotate) need to be fixed as well. But it would be great if someone would have a look at that all..
Rainer > David Lang > > > >> Rainer >> >> >> On Wed, Feb 19, 2014 at 3:30 PM, Chris Mann <[email protected]> >> wrote: >> >> >>> On Feb 19, 2014, at 8:33 AM, David Lang <[email protected]> wrote: >>> >>> On Wed, 19 Feb 2014, Chris Mann wrote: >>>> >>>> On Feb 18, 2014, at 8:08 PM, David Lang <[email protected]> wrote: >>>>> >>>>> On Tue, 18 Feb 2014, Chris Mann wrote: >>>>>> >>>>>> Hello all, >>>>>>> >>>>>>> I'm trying to send a custom log file that our program generates to >>>>>>> >>>>>> the remote rsyslog server, with little to no luck. Ideally, I'd like >>> to >>> have that log sent to it's own file and not mixed in with the syslog >>> traffic. >>> >>>> >>>>>>> We're using Ubuntu 12.04LTS >>>>>>> >>>>>> >>>>>> So, if you are using the default version of rsyslog, this is old >>>>>> >>>>> enough that it's unsupported by the community (but your issue is >>> probably >>> not version dependant), what version is running? >>> >>>> >>>>> I'm running v7 stable from the adiscon apt-get repo. >>>>> >>>> >>>> Ok, that helps >>>> >>>> >>>>>> Server rsyslog server config: >>>>>>> >>>>>>> $ModLoad imuxsock # provides support for local system logging >>>>>>> $ModLoad imklog # provides kernel logging support (previously done >>>>>>> >>>>>> by rklogd) >>> >>>> $ModLoad immark # provides --MARK-- message capability >>>>>>> >>>>>>> # provides UDP syslog reception >>>>>>> #$ModLoad imudp >>>>>>> #$UDPServerRun 514 >>>>>>> >>>>>>> # provides TCP syslog reception >>>>>>> $ModLoad imtcp >>>>>>> $InputTCPServerRun 10514 >>>>>>> >>>>>> >>>>>> why use an odd port like this instead of using the standard 514 port? >>>>>> >>>>> >>>>> Just preference and as Rainer said, 514 is used by something else :). >>>>> >>>>> >>>>>> $template DynaFile,"/var/log/remote/%HOSTNAME%.log" >>>>>>> *.* -?DynaFile >>>>>>> >>>>>> >>>>>> ok, this logs everything into per hostname files, with no filtering >>>>>> >>>>> ahead of it. >>> >>>> >>>>>> ########################### >>>>>>> #### GLOBAL DIRECTIVES #### >>>>>>> ########################### >>>>>>> >>>>>>> # >>>>>>> # Use traditional timestamp format. >>>>>>> # To enable high precision timestamps, comment out the following >>>>>>> line. >>>>>>> # >>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>>>>>> >>>>>>> # Filter duplicated messages >>>>>>> $RepeatedMsgReduction on >>>>>>> >>>>>>> # >>>>>>> # Set the default permissions for all log files. >>>>>>> >>>>>>> $FileOwner syslog >>>>>>> $FileGroup adm >>>>>>> $FileCreateMode 0640 >>>>>>> $DirCreateMode 0755 >>>>>>> $Umask 0022 >>>>>>> $PrivDropToUser syslog >>>>>>> $PrivDropToGroup adm >>>>>>> >>>>>>> # >>>>>>> # Where to place spool files >>>>>>> # >>>>>>> $WorkDirectory /var/spool/rsyslog >>>>>>> >>>>>>> # >>>>>>> # Include all config files in /etc/rsyslog.d/ >>>>>>> # >>>>>>> $IncludeConfig /etc/rsyslog.d/*.conf >>>>>>> >>>>>>> # This one is the template to generate the log filename dynamically, >>>>>>> >>>>>> depending on the client's IP address. >>> >>>> $template >>>>>>> >>>>>> %RemoteHost,,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$ >>> DAY%/syslog.log" >>> >>>> >>>>>> this template is by hostname, not client IP, you would use >>>>>> >>>>> %fromhost-ip% instead of %hostname% if you want it by IP >>> >>>> >>>>>> but it really doesn't matter since you don't have anything that uses >>>>>> >>>>> this template. I also think that you can't use % in a tempate name, and >>> should only have one , >>> >>>> >>>>>> as a result, I'm pretty sure that you get errors about being unable to >>>>>> >>>>> parse the config file when you startup. >>> >>>> >>>>> Actually, I'm not getting any errors on start up. rsyslog starts up >>>>> >>>> just fine. >>> >>>> >>>> are you shure? double check that it's not logging anything about errors >>>> >>> at startup time. that line just doesn't look right. I also don't see any >>> place that you are trying to use this template. >>> >>> Nothing in the log, honest: >>> >>> Feb 19 14:25:10 bundt rsyslogd: [origin software="rsyslogd" >>> swVersion="7.4.10" x-pid="31532" x-info="http://www.rsyslog.com";] start >>> Feb 19 14:25:10 bundt rsyslogd: rsyslogd's groupid changed to 4 >>> Feb 19 14:25:10 bundt rsyslogd: rsyslogd's userid changed to 101 >>> >>> >>>> >>>>>> >>>>>>> Client rsyslog config: >>>>>>> >>>>>>> # $ModLoad imfile >>>>>>> $ModLoad imuxsock # provides support for local system logging >>>>>>> $ModLoad imklog # provides kernel logging support (previously done >>>>>>> >>>>>> by rklogd) >>> >>>> # $ModLoad immark # provides --MARK-- message capability >>>>>>> >>>>>>> # Watch /var/log/ejabberd/ejabberd.log >>>>>>> module(load="imfile" PollingInterval="10") >>>>>>> input(type="imfile" >>>>>>> File="/var/log/ejabberd/ejabberd.log" >>>>>>> Tag="ejabberd:" >>>>>>> StateFile="state-ejabberd" >>>>>>> Severity="info" >>>>>>> Facility="local6" >>>>>>> ) >>>>>>> >>>>>>> # Provides UDP forwarding. The IP is the server's IP address >>>>>>> # *.* @54.227.155.34:514 >>>>>>> >>>>>>> # Provides TCP forwarding. But the current server runs on UDP >>>>>>> *.* @@devil.walkingservers.net:10514 >>>>>>> >>>>>>> # provides UDP syslog reception >>>>>>> #$ModLoad imudp >>>>>>> #$UDPServerRun 514 >>>>>>> >>>>>>> # provides TCP syslog reception >>>>>>> #$ModLoad imtcp >>>>>>> #$InputTCPServerRun 514 >>>>>>> >>>>>>> >>>>>>> ########################### >>>>>>> #### GLOBAL DIRECTIVES #### >>>>>>> ########################### >>>>>>> >>>>>>> # >>>>>>> # Use traditional timestamp format. >>>>>>> # To enable high precision timestamps, comment out the following >>>>>>> line. >>>>>>> # >>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>>>>>> >>>>>>> # Filter duplicated messages >>>>>>> $RepeatedMsgReduction on >>>>>>> >>>>>>> # >>>>>>> # Set the default permissions for all log files. >>>>>>> # >>>>>>> $FileOwner syslog >>>>>>> $FileGroup adm >>>>>>> $FileCreateMode 0640 >>>>>>> $DirCreateMode 0755 >>>>>>> $Umask 0022 >>>>>>> $PrivDropToUser syslog >>>>>>> $PrivDropToGroup adm >>>>>>> >>>>>>> # >>>>>>> # Where to place spool files >>>>>>> # >>>>>>> $WorkDirectory /var/spool/rsyslog >>>>>>> >>>>>>> # >>>>>>> $IncludeConfig /etc/rsyslog.d/*.conf >>>>>>> >>>>>>> >>>>>>> Can someone kick me in the direction of where I'm screwing up? >>>>>>> >>>>>> >>>>>> In general, you should put global directives before any output. I >>>>>> >>>>> don't know if that matters or not >>> >>>> >>>>>> I don't know of there is anything being added by the include lines. >>>>>> >>>>>> >>>>>> so, this sends logs from the client to the server, using the default >>>>>> >>>>> format (because you haven't specified anything), and the server then >>> writes >>> them to /var/log/<hostname>.log files >>> >>>> >>>>>> now, you do set the logs you read from the file to the facility >>>>>> >>>>> local6, so you could filter on that on the server if you want them >>> written >>> separately >>> >>>> >>>>>> but, what is it that you think should be happening with this config? >>>>>> >>>>> and what is actually happening? >>> >>>> >>>>> Long story short, I'd like the ejabberd.log file to go to >>>>> >>>> /var/log/remotes/$hostname/ejabberd.log as well as have the remote >>> syslog >>> file go to the same place on the rsyslog server. I'll fully admit, I'm >>> new >>> to rsyslog. I've tried the docs, but there seems to be such a vast way of >>> doing things like this between v5 and v7, I'm all turned around and not >>> sure exactly what the right way is. >>> >>>> >>>> Ok, in this case, the easy thing to do on the server is >>>> >>>> $template ejabberd,"/var/log/remotes/%hostname%/ejabberd.log >>>> if $syslogtag == "ejabberd:" then ?ejabberd >>>> >>>> this creates the template for the filename, then when it sees anything >>>> >>> with the syslog tag of ejabberd: (what you set on the client), it writes >>> it >>> to that log. This will also show up in any other logs that have rules >>> that >>> match this. If you don't want these logs to show up anywhere else, you >>> can >>> do >>> >>>> >>>> if $syslogtag == "ejabberd:" then { ?ejabberd >>>> stop } >>>> >>>> or, in v5 compatible language >>>> >>>> if $syslogtag == "ejabberd:" then ?ejabberd >>>> & ~ >>>> >>>> >>> I must be extra slow and dense. I added this into the rsyslog.conf file, >>> under the module loading bit, and still nothing showing up. Now that I >>> think about it for a bit, the ejabberd.log has long entries. By that I >>> mean, the entries are not one liners, but more multi line paragraphs. >>> Would >>> that bork what I'm trying to do? >>> >>> >>> >>> when looking at the docs, what you will typically see is that the v7 >>>> >>> format groups all the parameters together in one statement, while the >>> older >>> format requires that you set a bunch of parameters before each action, >>> and >>> some parameters only affect the next action while others have longer >>> lasting effects. This can get rather confusing in complex setups, which >>> is >>> why the v7 format added the new way of describing complex stuff. >>> >>>> >>>> side note: you probably don't really want RepeatedMsgReduction turned >>>> >>> on. what that does is that if a system logs the same message repeatedly, >>> instead of showing all the messages, you get a log entry "last message >>> repeated 13 times", but it can be hard to figure out what that last >>> message >>> was (rsyslog has an option that puts the beginning of that log message >>> after the "last message text"). Also, all the tools that you would use >>> for >>> alerting will want to see the actual messages, "last message repeated" >>> just >>> confuses them. >>> >>>> >>>> we should probably add to the documentation to discourage use of that >>>> >>> parameter. >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
