On Tue, 2015-02-03 at 15:56 -0500, Brendan Kearney wrote: > On Tue, 2015-02-03 at 11:51 -0800, David Lang wrote: > > On Tue, 3 Feb 2015, Brendan Kearney wrote: > > > > > Date: Tue, 03 Feb 2015 14:46:11 -0500 > > > From: Brendan Kearney <[email protected]> > > > Reply-To: rsyslog-users <[email protected]> > > > To: rsyslog-users <[email protected]> > > > Subject: Re: [rsyslog] rsyslog, journald and phplogcon > > > > > > On Tue, 2015-02-03 at 11:32 -0800, David Lang wrote: > > >> On Tue, 3 Feb 2015, Michael Biebl wrote: > > >> > > >>> 2015-02-03 20:12 GMT+01:00 David Lang <[email protected]>: > > >>>> the module load for imjournal line polls the journal, asking for all > > >>>> logs > > >>>> since the last time it asked for logs. This is rather inefficient, but > > >>>> if > > >>>> you need the extra journald metadata, you need to do this since the > > >>>> journal > > >>>> won't send it otherwise. > > >>>> > > >>>> The alturnative to this is to have journald send the logs to rsyslog > > >>>> (for > > >>>> this, lookup the journald documentation where they say that they don't > > >>>> break > > >>>> syslog because they support delivering logs to syslog) > > >>> > > >>> It's only an alternative, if you don't need the additional metadata. > > >>> In this mode, journald will forward the messages to > > >>> /run/systemd/journal/syslog, and syslog will read from this socket > > >>> instead of /dev/log. > > >>> Those forwarded messages do not have any additional metadata. > > >> > > >> ok, then to read this (assuming that your version of journald is > > >> outputting it) > > >> should be: > > >> > > >> input(type="imuxsock" socket="/run/systemd/journal/syslog") > > >> > > >> David Lang > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > >> DON'T LIKE THAT. > > > > > > using the below, i get nothing in my database... > > > > > > $ModLoad imuxsock > > > $ModLoad imjournal > > > $ModLoad imklog > > > > > > # IMuxSock options > > > input(type="imuxsock" socket="/run/systemd/journal/syslog") > > > > > > # IMJournal options > > > $IMJournalPersistStateInterval 100 > > > $IMJournalStateFile /var/spool/rsyslog/imjournal.state > > > > you can't mix legacy and new config syntaxes. If you are going to use > > legacy > > syntax, you have to set the options before you load the module for them to > > take > > effect. Since you are running a current version, stick to the new syntax as > > it > > makes it much clearer what options you are using for the load and input > > > > you don't do both the socket option and the imjournal, pick one or the other > > > > > # Provides UDP syslog reception > > > $ModLoad imudp > > > $UDPServerRun 514 > > > > > > # Provides TCP syslog reception > > > $ModLoad imtcp > > > $InputTCPServerRun 514 > > > > > > # Provides RELP syslog reception > > > $ModLoad imrelp > > > $InputRELPServerRun 20514 > > > > > > > > > #### GLOBAL DIRECTIVES #### > > > > > > # Where to place auxiliary files > > > $WorkDirectory /var/lib/rsyslog > > > > > > # Use default timestamp format > > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > > > > > # Include all config files in /etc/rsyslog.d/ > > > $IncludeConfig /etc/rsyslog.d/*.conf > > > > > > # Turn off message reception via local log socket; > > > # local messages are retrieved through imjournal now. > > > $OmitLocalLogging on > > > $AddUnixListenSocket /run/systemd/journal/syslog > > > > this is doing the same thing with the legacy format that you did earlier > > with > > the input section. > > > > > # Provides MySQL connectivity > > > $ModLoad ommysql > > > # MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING > > > $WorkDirectory /var/spool/rsyslog > > > $ActionQueueType LinkedList > > > $ActionQueueFileName dbq > > > $ActionResumeRetryCount -1 > > > *.* :ommysql:server1.bpk2.com,Syslog,username,password > > > > any time you have stuff that's not getting logged to a database the way you > > expect, first see that you have the data and can log it to a local file. > > Then > > write to a local file using the template that you would use for the > > database and > > look to see if the database is logging any errors. > > > > David Lang > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > i am getting this in /var/log/messages: > > Feb 3 15:53:08 server1 rsyslogd: db error (1062): Duplicate entry > 'server1' for key 'FromHost' > > is a unique value constraint being enforced or something? of course > that field will be duplicated... >
i dropped the tables and recreated them... BOOM, everything is working. the examples on the rsyslog site flip flop between legacy and new directives, so i went with the beast i know (legacy)... #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) #$ModLoad imjournal # provides access to the systemd journal $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability #IMuxSock options $SystemLogRateLimitInterval 0 $IMUXSockRateLimitInterval 0 #IMJournal options #$IMJournalPersistStateInterval 100 #$IMJournalStateFile /var/spool/rsyslog/imjournal.state # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 # Provides RELP reception $ModLoad imrelp $InputRELPServerRun 20514 # Provides MySQL connectivity $ModLoad ommysql # MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING $WorkDirectory /var/spool/rsyslog # default location for work (spool) files $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName dbq # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal # See above, IMJournal options #$IMJournalStateFile /var/spool/rsyslog/imjournal.state #### RULES #### # for PostgreSQL replace :ommysql: by :ompgsql: below: *.* :ommysql:server1.bpk2.com,Syslog,username,password _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
