I believe I've figured out my ruleset issue. A ruleset would only parse
correctly if it had at least one action bound to it, e.g.,
ruleset(name="ruleset") {
action(type="omfile" file="/tmp/test")
}
My mistake was trying to bind the action to the ruleset outside of the
block. I expected an action to be bindable to a ruleset the same way an
input is, but
ruleset(name="ruleset")
input(type="imptcp" Port="4414" ruleset="ruleset")
action(type="omfile" file="/tmp/test" ruleset="ruleset")
did not work for me. I also tried to bind the input to the ruleset the
same way an action is, for example:
ruleset(name="ruleset") {
input(type="imptcp" Port="4414")
action(type="omfile" file="/tmp/test")
}
This did not work for me either. The separate binding mechanism for
inputs and actions tripped me up. I could only get my ruleset to parse
correctly when I put the action inside of the ruleset block, and the
input outside of it, i.e.,
ruleset(name="ruleset") {
action(type="omfile" file="/tmp/test")
}
input(type="imptcp" Port="4414" ruleset="ruleset")
This is probably expected behavior, but these nuances were not clear to
me from the documentation.
http://www.rsyslog.com/doc/v7-stable/concepts/multi_ruleset.html seems
to indicate that
ruleset(name="ruleset");
should work (without any actions in it), but that was not my experience.
On 09/13/2014 08:07 AM, Rainer Gerhards wrote:
On Sat, Sep 13, 2014 at 3:59 PM, Devin Christensen <
[email protected]> wrote:
I will send when I get to the office. I can tell you the config is parsed
without error when I remove the ruleset, which is why I suspected it was
the issue. Does adding a ruleset trigger a change in how the config is
parsed?
No, but the error message points into some interdependency (as it mentions
the "module" object). So to understand what's going on, more context is
required.
Rainer
On Sep 13, 2014 1:21 AM, Rainer Gerhards <[email protected]> wrote:
Full config pls.
Sent from phone, thus brief.
Am 13.09.2014 02:48 schrieb "Devin Christensen" <
[email protected]>:
I'm getting parsing errors when adding a ruleset to my rsyslog
configuration. Here are all the variations I have tried.
* ruleset(name="rulesetname");
* ruleset(name="rulesetname")
* Ruleset(name="rulesetname")
* Ruleset(Name="rulesetname")
* ruleset(Name="rulesetname")
* ruleset(name="rulesetname") { }
* ruleset(name="rulesetname") {
}
* ruleset(name="rulesetname") {
};
The documentation seems to indicate that at least one of those should
work, not sure what I've overlooked.
I've tried versions 7.6.3 and 7.6.4 of rsyslog. I'm on Ubuntu 12.04.3.
The
error message given is:
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line
27: syntax error on token 'module(' [try http://www.rsyslog.com/e/2207 ]
rsyslogd: CONFIG ERROR: could not interpret master config file
'/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2207 ]
rsyslogd: run failed with error -2207 (see rsyslog.h or try
http://www.rsyslog.com/e/2207 to learn what that number means)
This email message is for the sole use of the intended recipient(s) and
may contain confidential, proprietary and privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If
you
are not the intended recipient, please contact the sender by reply email
and destroy all copies of the original message. If you are the intended
recipient, please be advised that the content of this message is subject
to
access, review and disclosure by the sender's Email System Administrator.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
This email message is for the sole use of the intended recipient(s) and
may contain confidential, proprietary and privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email
and destroy all copies of the original message. If you are the intended
recipient, please be advised that the content of this message is subject to
access, review and disclosure by the sender's Email System Administrator.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
