Re: [rsyslog] Help converting from 5 to 8

[David Lang]

On Wed, 3 Sep 2014, James Lay wrote:

On 2014-09-03 12:51, David Lang wrote:
I suspect that you need to define a working directory, but the best
thing to do is to start rsyslog manually with the -dn flags to see if
there are any errors reported (there will be a lot of output, but if
you search for bro_conn you should find things)
David Lang

On Wed, 3 Sep 2014, James Lay wrote:

So...I'm kind of at my wits end here.  All I'm trying to do is get rsyslog 
to read an additional file and it is just not working.  I've upgraded from 
5 to 8 in the hopes that the version was too old, but still not working. 
Current version:

rsyslogd 8.4.0, compiled with:
       FEATURE_REGEXP:                         Yes
       GSSAPI Kerberos 5 support:              No
       FEATURE_DEBUG (debug build, slow code): No
       32bit Atomic operations supported:      Yes
       64bit Atomic operations supported:      Yes
       memory allocator:                       system default
       Runtime Instrumentation (slow code):    No
       uuid support:                           Yes
       Number of Bits in RainerScript integers: 32 (due to too-old json-c 
lib)


/etc/rsyslog.conf:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf


/etc/rsyslog.d/50-default.conf:
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
kern.*                          -/var/log/kern.log
mail.*                          -/var/log/mail.log
*.*;local7.none                 @10.x.x.y
mail.err                        /var/log/mail.err
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice
*.emerg                                :omusrmsg:*
daemon.*;mail.*;\
       news.err;\
       *.=debug;*.=info;\
       *.=notice;*.=warn       |/dev/xconsole


/etc/rsyslog.d/10-bro.conf:
module(load="imfile" PollingInterval="1")

input(type="imfile"
     File="/media/backup/bro/current/conn.log"
     Tag="bro_conn"
     StateFile="stat-bro_conn"
     Severity="info"
     Facility="local7")
local7.* @10.x.x.x:6514


The format of the above file is:

1409764958.802124       CI0hHTD52XaYNxUd8       fe80::792c:71a0:7d6a:a4d9 
546     ff02::1:2       547     udp     -      59.997854       515     0 
S0      F       0       D       5       755     0       0       (empty)

I see the below in packet capturing when I restart rsyslog:
.<190>Sep  3 17:23:57 goidsdev bro_conn bawer 11:27:31.603706 IP 
10.x.x.x.38320 > 10.x.x.x.6514: UDP, length 49

But that's it...I don't see anything like the file format above.  My last 
hope is that rsyslog.conf needs updating, but I'm not sure what exactly to 
update.  Please help..thanks.

James


Thanks for looking at this David.  Did do the run with -dn...and this was 
weird:

2775.846093282:main Q:Reg/w0  : omfile: write to stream, pData->pStrm 
0x7fb2f0006a70, lenBuf 40, strt data Sep  3 19:32:55 idsdev bro_conn bawer
2775.846108479:main Q:Reg/w0  : omfile: write to stream, pData->pStrm 
0x7fb2f0006a70, lenBuf 45, strt data Sep  3 19:32:55 idsdev bro_conn 
bawsdfsder
2775.846123676:main Q:Reg/w0  : omfile: write to stream, pData->pStrm 
0x7fb2f0006a70, lenBuf 45, strt data Sep  3 19:32:55 idsdev bro_conn 
bawsdfsder
2775.846138861:main Q:Reg/w0  : omfile: write to stream, pData->pStrm 
0x7fb2f0006a70, lenBuf 45, strt data Sep  3 19:32:55 idsdev bro_conn 
bawsdfsder
2775.846153625:main Q:Reg/w0  : omfile: write to stream, pData->pStrm 
0x7fb2f0006a70, lenBuf 49, strt data Sep  3 19:32:55 idsdev bro_conn 
bawsdfdsdfsder

looks like the old state file was still there:

2803.048667081:main thread    : statefile:  'stat-bro_conn'

sudo cat stat-bro_conn
<Obj:1:strm:1:
+iCurrFNum:2:1:1:
+pszFName:1:15:/home/me/list:
+iMaxFiles:2:1:0:
+bDeleteOnClose:2:1:0:
+sType:2:1:2:
+tOperationsMode:2:1:1:
+tOpenMode:2:3:384:
+iCurrOffs:2:3:532:
+inode:2:7:3366928:
End

cat /home/me/list
ick
bawer
bawsdfsder
bawsdfsder
bawsdfsder
bawsdfdsdfsder

Thanks for the quick fix...live and learn I guess :)  That being said, is 
there anything else I should do to move to the version 8 rsyslog.conf?  Wish 
there was a converter online.

One nice thing about rsyslog is that the config is backwards compatible, so if 
it works, there's no need to convert anything. If you find any part of the 
config confusing, look at converting it to the new format.

Other than that, you can just leave it.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.