Re: [rsyslog] could not interpret master config file

David Lang Tue, 02 Sep 2014 02:15:09 -0700

a couple things

first rsyslog 3.22 is extremely ancient, there are a lot of features that justdidn't exist back then. I think that rulesets were one of them.


The current version is 8.x

Second, I think you need to put the lines that bind rulesets above the linesthat listen to the inputs, and way before any processing of data.

version 8 also supports the newer config syntax that makes complex setups likeyours much easier to figure out.


David Lang

On Tue, 2 Sep 2014, Makimoto wrote:

Date: Tue, 2 Sep 2014 10:08:44 +0100
From: Makimoto <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] could not interpret master config file

Hi

New to rsyslog, and trying to replace syslog-ng.
This is swVersion="3.22.1" on centos 5.4

So I'm trying to move off UDP to TCP.
Based my config on:

http://www.rsyslog.com/storing-and-forwarding-remote-messages/

But I'm getting more problems than expected, the main one is this:

2014-09-02T09:34:38.251444+01:00 accentor2 rsyslogd: [origin
software="rsyslogd" swVersion="3.22.1" x-pid="25625" x-info="
http://www.rsyslog.com";] (re)start
2014-09-02T09:34:38.250067+01:00 accentor2 rsyslogd-3003: invalid or
yet-unknown config file command - have you forgotten to load a module? [try
http://www.rsyslog.com/e/3003 ]
2014-09-02T09:34:38.250190+01:00 accentor2 rsyslogd: the last error occured
in /etc/rsyslog.conf, line 50
2014-09-02T09:34:38.250208+01:00 accentor2 rsyslogd-3003: invalid or
yet-unknown config file command - have you forgotten to load a module? [try
http://www.rsyslog.com/e/3003 ]
2014-09-02T09:34:38.250219+01:00 accentor2 rsyslogd: the last error occured
in /etc/rsyslog.conf, line 54
2014-09-02T09:34:38.250233+01:00 accentor2 rsyslogd-3003: invalid or
yet-unknown config file command - have you forgotten to load a module? [try
http://www.rsyslog.com/e/3003 ]
2014-09-02T09:34:38.250238+01:00 accentor2 rsyslogd: the last error occured
in /etc/rsyslog.conf, line 58
2014-09-02T09:34:38.250667+01:00 accentor2 rsyslogd-3003: invalid or
yet-unknown config file command - have you forgotten to load a module? [try
http://www.rsyslog.com/e/3003 ]
2014-09-02T09:34:38.250675+01:00 accentor2 rsyslogd: the last error occured
in /etc/rsyslog.conf, line 61
2014-09-02T09:34:38.250682+01:00 accentor2 rsyslogd-3003: invalid or
yet-unknown config file command - have you forgotten to load a module? [try
http://www.rsyslog.com/e/3003 ]
2014-09-02T09:34:38.250692+01:00 accentor2 rsyslogd: the last error occured
in /etc/rsyslog.conf, line 64
2014-09-02T09:34:38.250826+01:00 accentor2 rsyslogd-2123: CONFIG ERROR:
could not interpret master config file '/etc/rsyslog.conf'. [try
http://www.rsyslog.com/e/2123 ]

The offending lines for your convenience are:

50  $RuleSet remoteTCP
54  $RuleSet remoteUDP
58  $InputTCPServerBindRuleset remoteTCP
61  $TCPServerRun 601
64  $InputUDPServerBindRuleset remoteUDP

The whole config file looks like this:

# Use traditional timestamp format
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog

# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock

# Provides TCP syslog reception
$ModLoad imtcp

# Provides UDP syslog reception
$ModLoad imudp

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                  /dev/console
kern.*
/var/log/kernel_msg.log

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/rmessages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

##### receive and store syslog messages

# template
$template
Remotetcp,"/var/log/messages/%$YEAR%/%$MONTH%/%$YEAR%%$MONTH%%$DAY%.tcp.log"
$template
Remoteudp,"/var/log/messages/%$YEAR%/%$MONTH%/%$YEAR%%$MONTH%%$DAY%.udp.log"

# Remote Logging
$RuleSet remoteTCP
*.* ?Remotetcp

# Remote Logging
$RuleSet remoteUDP
*.* ?Remoteudp

# bind ruleset to tcp listener
$InputTCPServerBindRuleset remoteTCP
# and activate it:
$InputTCPServerRun 601
$TCPServerRun 601

# bind ruleset to udp listener
$InputUDPServerBindRuleset remoteUDP
# and activate it:
$InputTCPServerRun 514
$UDPServerRun 514

I am invoking rsyslogd with -c3

If anyone is wondering why 2 listeners, I need to listen on to UDP until I
install rsyslog into a couple of client boxes and send the logs over TCP.
Then UDP will be hopefully gone.

Any help appreciated.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] could not interpret master config file

Reply via email to