On Tue, 3 Feb 2015, Brendan Kearney wrote:
Date: Tue, 03 Feb 2015 14:46:11 -0500
From: Brendan Kearney <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] rsyslog, journald and phplogcon
On Tue, 2015-02-03 at 11:32 -0800, David Lang wrote:
On Tue, 3 Feb 2015, Michael Biebl wrote:
2015-02-03 20:12 GMT+01:00 David Lang <[email protected]>:
the module load for imjournal line polls the journal, asking for all logs
since the last time it asked for logs. This is rather inefficient, but if
you need the extra journald metadata, you need to do this since the journal
won't send it otherwise.
The alturnative to this is to have journald send the logs to rsyslog (for
this, lookup the journald documentation where they say that they don't break
syslog because they support delivering logs to syslog)
It's only an alternative, if you don't need the additional metadata.
In this mode, journald will forward the messages to
/run/systemd/journal/syslog, and syslog will read from this socket
instead of /dev/log.
Those forwarded messages do not have any additional metadata.
ok, then to read this (assuming that your version of journald is outputting it)
should be:
input(type="imuxsock" socket="/run/systemd/journal/syslog")
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
using the below, i get nothing in my database...
$ModLoad imuxsock
$ModLoad imjournal
$ModLoad imklog
# IMuxSock options
input(type="imuxsock" socket="/run/systemd/journal/syslog")
# IMJournal options
$IMJournalPersistStateInterval 100
$IMJournalStateFile /var/spool/rsyslog/imjournal.state
you can't mix legacy and new config syntaxes. If you are going to use legacy
syntax, you have to set the options before you load the module for them to take
effect. Since you are running a current version, stick to the new syntax as it
makes it much clearer what options you are using for the load and input
you don't do both the socket option and the imjournal, pick one or the other
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
# Provides RELP syslog reception
$ModLoad imrelp
$InputRELPServerRun 20514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
$AddUnixListenSocket /run/systemd/journal/syslog
this is doing the same thing with the legacy format that you did earlier with
the input section.
# Provides MySQL connectivity
$ModLoad ommysql
# MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING
$WorkDirectory /var/spool/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName dbq
$ActionResumeRetryCount -1
*.* :ommysql:server1.bpk2.com,Syslog,username,password
any time you have stuff that's not getting logged to a database the way you
expect, first see that you have the data and can log it to a local file. Then
write to a local file using the template that you would use for the database and
look to see if the database is logging any errors.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
