[rsyslog] Help converting from 5 to 8

Wed, 03 Sep 2014 10:30:53 -0700

So...I'm kind of at my wits end here. All I'm trying to do is get rsyslog to read an additional file and it is just not working. I've upgraded from 5 to 8 in the hopes that the version was too old, but still not working. Current version: 

rsyslogd 8.4.0, compiled with:
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              No
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
Number of Bits in RainerScript integers: 32 (due to too-old json-c lib) 


/etc/rsyslog.conf:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf


/etc/rsyslog.d/50-default.conf:
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
kern.*                          -/var/log/kern.log
mail.*                          -/var/log/mail.log
*.*;local7.none                 @10.x.x.y
mail.err                        /var/log/mail.err
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice
*.emerg                                :omusrmsg:*
daemon.*;mail.*;\
        news.err;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/xconsole


/etc/rsyslog.d/10-bro.conf:
module(load="imfile" PollingInterval="1")

input(type="imfile"
      File="/media/backup/bro/current/conn.log"
      Tag="bro_conn"
      StateFile="stat-bro_conn"
      Severity="info"
      Facility="local7")
local7.* @10.x.x.x:6514


The format of the above file is:


1409764958.802124       CI0hHTD52XaYNxUd8       
fe80::792c:71a0:7d6a:a4d9       546     ff02::1:2       547     udp     
-       59.997854       515     0       S0      F       0       D       
5       755     0       0       (empty)


I see the below in packet capturing when I restart rsyslog:

.<190>Sep  3 17:23:57 goidsdev bro_conn bawer 11:27:31.603706 IP 
10.x.x.x.38320 > 10.x.x.x.6514: UDP, length 49



But that's it...I don't see anything like the file format above.  My 
last hope is that rsyslog.conf needs updating, but I'm not sure what 
exactly to update.  Please help..thanks.


James

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to