Re: [rsyslog] Sending messages from imfile directly to remote server

Thu, 14 Aug 2014 17:44:17 -0700 

On Fri, 15 Aug 2014, Ivan Lezhnjov IV wrote:
I think I have pinpointed the problem where even though *.* @@172.16.16.1:2514 was placed before any rules, the discard &~ affected it. 


I used to have *.* @@172.16.16.1:2514 right above $IncludeConfig (I also tried 
every ridiculous options like Modules section, the very bottom of the 
/etc/rsyslog.conf file -- all producing the same effect). Only when I created 
/etc/rsyslog.d/10-send-to-remote.conf which contains a single line "*.* 
@@172.16.16.1:2514" it started to work as I expected it too.



So, my question to subscribers of this list now is if something like that is 
expected? If it is, it seems rather counterintuitive because if I place *.* 
@@172.16.16.1:2514 BEFORE $IncludeConfig I naturally assume that it will be 
treated as the first line preceding any rules contained in configuration 
include files.



I would expect the same thing, but there was a bug several years ago that got 
the include order wrong, if you are running v5 that could be the problem


David Lang


Ivan


On Aug 13, 2014, at 11:17 PM, David Lang <[email protected]> wrote:


On Wed, 13 Aug 2014, Ivan Lezhnjov IV wrote:


I finally got around to this.

So, in my configuration, which is rather simple and doesn't differ from a 
default one much I do this:

:syslogtag, contains, "postgres"                        /var/log/postgresql.log
&~

*.*                                                                             
/var/log/syslog

*.* @@172.16.16.1:2514

I want PostgreSQL logs in a separate file (and only this one file), and to also 
send them to a remote server for further processing there. However, if i stop 
processing on the client with the discard command &~, they never get sent to 
the remote server.

After reading documentation (a while ago), I somehow was under impression that 
rsyslog would process rules in the order of their appearance in a configuration 
file.


they are.


So, I naturally tried to move the "*.* @@172.16.16.1:2514" line up and 
rearranged the order to the effect of this:


*.* @@172.16.16.1:2514

:syslogtag, contains, "postgres"                        /var/log/postgresql.log
&~

*.*                                                                             
/var/log/syslog

But it still wouldn't work. i would see /var/log/postgresql.log being written 
to on the client, but nothing arriving to the remote server.

If I do away with the &~, messages are logged to /var/log/postgresql.log, /var/log/syslog 
and are sent to the remote server. Regardless of where I place the "*.* 
@@172.16.16.1:2514" line, at the top or at the bottom of configuration file.


something is very wrong if removing & ~ affects lines prior to where it appears.

Now, this isn't something to be chased down in v5 since it's so old, but if you 
can duplicate that with v8 it will get attention real fast.


Unless there is some other way, it appears I need to use the an 
expressions-based filter. I have another question regarding this, however. How 
does one express the *.* in an expression like this:

if $syslogfacility-text == '*.*' and not \
($syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' \
or $syslogtag contains 'postgres') then /var/log/syslog

?

That clearly doesn't work, the *.* part.


correct, syslogfacility is the part before the . in *.*

but with v8, if you want *.* you can just leave it out

@@172.16.16.4:2514

David Lang


Ivan


On Aug 8, 2014, at 2:38 AM, David Lang <[email protected]> wrote:


On Fri, 8 Aug 2014, Ivan Lezhnjov IV wrote:


Just to be clear, is this configuration syntax supported by the legacy v5? 
Because that's all I can use.


that syntax is v8, you can do it in v5 but it would be a different syntax.

David Lang


Ivan

On Aug 7, 2014, at 10:19 PM, Eugene Istomin <[email protected]> wrote:


Hello,

if by 'directly' you mean just not to write a local text log -


if $hostname == $$myhostname and $programname == [ ....]
then {
                call send_log & stop
        }

}

ruleset(name="send_log")
{
        action(type="om*" .....)
}


Of course, this should be written/included before any omfile/other local 
textlog actions.
---
Best regards,
Eugene Istomin

On Thursday, August 07, 2014 09:16:04 PM Ivan Lezhnjov IV wrote:

Hello,

I was wondering if it is possible to send messages that are coming in from
text files monitored by imfile directly to a remote server. That is, these
messages must never appear in any syslog log files on the client machine.

The reason I'm looking for this sort of configuration is because it strikes
me as redundant and utterly superfluous to duplicate other programs' log
file in syslog.

Ivan
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to