On Wed, 2014-09-03 at 15:27 -0700, David Lang wrote: > On Wed, 3 Sep 2014, James Lay wrote: > > > On 2014-09-03 12:51, David Lang wrote: > >> I suspect that you need to define a working directory, but the best > >> thing to do is to start rsyslog manually with the -dn flags to see if > >> there are any errors reported (there will be a lot of output, but if > >> you search for bro_conn you should find things) > >> > >> David Lang > >> > >> On Wed, 3 Sep 2014, James Lay wrote: > >> > >>> So...I'm kind of at my wits end here. All I'm trying to do is get > >>> rsyslog > >>> to read an additional file and it is just not working. I've upgraded > >>> from > >>> 5 to 8 in the hopes that the version was too old, but still not working. > >>> Current version: > >>> > >>> rsyslogd 8.4.0, compiled with: > >>> FEATURE_REGEXP: Yes > >>> GSSAPI Kerberos 5 support: No > >>> FEATURE_DEBUG (debug build, slow code): No > >>> 32bit Atomic operations supported: Yes > >>> 64bit Atomic operations supported: Yes > >>> memory allocator: system default > >>> Runtime Instrumentation (slow code): No > >>> uuid support: Yes > >>> Number of Bits in RainerScript integers: 32 (due to too-old json-c > >>> lib) > >>> > >>> > >>> /etc/rsyslog.conf: > >>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >>> $RepeatedMsgReduction on > >>> $SystemLogRateLimitInterval 0 > >>> $SystemLogRateLimitBurst 0 > >>> $FileOwner syslog > >>> $FileGroup adm > >>> $FileCreateMode 0640 > >>> $DirCreateMode 0755 > >>> $Umask 0022 > >>> $PrivDropToUser syslog > >>> $PrivDropToGroup syslog > >>> $WorkDirectory /var/spool/rsyslog > >>> $IncludeConfig /etc/rsyslog.d/*.conf > >>> > >>> > >>> /etc/rsyslog.d/50-default.conf: > >>> auth,authpriv.* /var/log/auth.log > >>> *.*;auth,authpriv.none -/var/log/syslog > >>> kern.* -/var/log/kern.log > >>> mail.* -/var/log/mail.log > >>> *.*;local7.none @10.x.x.y > >>> mail.err /var/log/mail.err > >>> news.crit /var/log/news/news.crit > >>> news.err /var/log/news/news.err > >>> news.notice -/var/log/news/news.notice > >>> *.emerg :omusrmsg:* > >>> daemon.*;mail.*;\ > >>> news.err;\ > >>> *.=debug;*.=info;\ > >>> *.=notice;*.=warn |/dev/xconsole > >>> > >>> > >>> /etc/rsyslog.d/10-bro.conf: > >>> module(load="imfile" PollingInterval="1") > >>> > >>> input(type="imfile" > >>> File="/media/backup/bro/current/conn.log" > >>> Tag="bro_conn" > >>> StateFile="stat-bro_conn" > >>> Severity="info" > >>> Facility="local7") > >>> local7.* @10.x.x.x:6514 > >>> > >>> > >>> The format of the above file is: > >>> > >>> 1409764958.802124 CI0hHTD52XaYNxUd8 fe80::792c:71a0:7d6a:a4d9 > >>> 546 ff02::1:2 547 udp - 59.997854 515 0 > >>> S0 F 0 D 5 755 0 0 (empty) > >>> > >>> I see the below in packet capturing when I restart rsyslog: > >>> .<190>Sep 3 17:23:57 goidsdev bro_conn bawer 11:27:31.603706 IP > >>> 10.x.x.x.38320 > 10.x.x.x.6514: UDP, length 49 > >>> > >>> But that's it...I don't see anything like the file format above. My last > >>> hope is that rsyslog.conf needs updating, but I'm not sure what exactly > >>> to > >>> update. Please help..thanks. > >>> > >>> James > > > > > > Thanks for looking at this David. Did do the run with -dn...and this was > > weird: > > > > 2775.846093282:main Q:Reg/w0 : omfile: write to stream, pData->pStrm > > 0x7fb2f0006a70, lenBuf 40, strt data Sep 3 19:32:55 idsdev bro_conn bawer > > 2775.846108479:main Q:Reg/w0 : omfile: write to stream, pData->pStrm > > 0x7fb2f0006a70, lenBuf 45, strt data Sep 3 19:32:55 idsdev bro_conn > > bawsdfsder > > 2775.846123676:main Q:Reg/w0 : omfile: write to stream, pData->pStrm > > 0x7fb2f0006a70, lenBuf 45, strt data Sep 3 19:32:55 idsdev bro_conn > > bawsdfsder > > 2775.846138861:main Q:Reg/w0 : omfile: write to stream, pData->pStrm > > 0x7fb2f0006a70, lenBuf 45, strt data Sep 3 19:32:55 idsdev bro_conn > > bawsdfsder > > 2775.846153625:main Q:Reg/w0 : omfile: write to stream, pData->pStrm > > 0x7fb2f0006a70, lenBuf 49, strt data Sep 3 19:32:55 idsdev bro_conn > > bawsdfdsdfsder > > > > looks like the old state file was still there: > > > > 2803.048667081:main thread : statefile: 'stat-bro_conn' > > > > sudo cat stat-bro_conn > > <Obj:1:strm:1: > > +iCurrFNum:2:1:1: > > +pszFName:1:15:/home/me/list: > > +iMaxFiles:2:1:0: > > +bDeleteOnClose:2:1:0: > > +sType:2:1:2: > > +tOperationsMode:2:1:1: > > +tOpenMode:2:3:384: > > +iCurrOffs:2:3:532: > > +inode:2:7:3366928: > >> End > > > > cat /home/me/list > > ick > > bawer > > bawsdfsder > > bawsdfsder > > bawsdfsder > > bawsdfdsdfsder > > > > Thanks for the quick fix...live and learn I guess :) That being said, is > > there anything else I should do to move to the version 8 rsyslog.conf? > > Wish > > there was a converter online. > > One nice thing about rsyslog is that the config is backwards compatible, so > if > it works, there's no need to convert anything. If you find any part of the > config confusing, look at converting it to the new format. > > Other than that, you can just leave it. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT.
Thanks again David..appreciate the help and feedback. James _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
