On Fri, 10 Jul 2015, Gerhardus Geldenhuis wrote:
Hi
I am struggling a bit to get rsyslog to work as described.
<rant>
Firstly the documentation is a struggle. There is some reference to old and
new style configuration but no clear differentiation between the two. What
makes it more confusing is that documents like
http://www.rsyslog.com/doc/queues.html then refers to what looks like the
old style of config and none of the examples contains new syntax examples.
There was also an expectation that the new rsyslog package would install a
new style config but that turned out to be not the case. I deleted the
config file and did a yum reinstall just to be sure.
</rant>
well, part of this is you are finding the old doc pages. the new ones are under
http://www.rsyslog.com/doc/v8-stable/
for queue stuff,
http://www.rsyslog.com/doc/v8-stable/rainerscript/queue_parameters.html
The new version continues to wrok with the old config. The one difference is
that things defined in the new format (i.e. action()) don't use defaults,
everything must be specified as part of the action() call
OS: CentOS 7
RSyslog:
rsyslog-8.11.0-1.el7.x86_64
rsyslog-relp-8.11.0-1.el7.x86_64
rsyslog-gnutls-8.11.0-1.el7.x86_64
So basically what I am trying to achieve is the following:
- Log remotely to a rsyslog server
- Turn off the remote server ( via firewall )
- Have logs be cached locally and saved to disk
- Restart client server
- Turn remote server back on
- See cached logs appear in the remote server
It does not work...
- So more specifically, if I turn the firewall off, log a few messages
and turn it back on then the caching works and I get the messages.
- If however I restart the client server, the logs never make it to the
remote sever, I can see the logs in the cached file but it does not get
send to the remote server.
My config on the client:
#### MODULES ####
module(load="imuxsock") # provides support for local system logging (e.g.
via logger command)
module(load="imklog") # provides kernel logging support (previously done
by rklogd)
#### GLOBAL DIRECTIVES ####
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
# ### begin forwarding rule ###
$WorkDirectory /var/lib/rsyslog # where to place spool files
$MainMsgQueueFileName LocalCaching # unique name prefix for spool files
$MainMsgQueueSaveOnShutdown on # save messages to disk on shutdown
# $MainMsgQueueType LinkedList
$MainMsgQueueType Disk
note that this forces rsyslog to use disk only for it's queue, this is going to
be hundreds of times slower than normal.
$MainMsgResumeRetryCount -1 # infinite retries if host is down
*.* @@192.168.8.253:514
# ### end of the forwarding rule ###
My config on the remote server:
module(load="imuxsock") # provides support for local system logging (e.g.
via logger command)
module(load="imklog") # provides kernel logging support (previously done
by rklogd)
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.*
Any pointers would be appreciated. I am hoping I am missing something
obvious or misunderstanding what I am suppose to be doing.
I'm not missing anything obvious, by using a disk queue you slow things down a
lot, but a shutdown/restart should see all the messages.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
