Hi, Thanks for the replies. I think the bulk of my problem was mixing old and new config and I much further along to get something working. I have discovered a few other niggles but will report back once I have something working properly. As far as pull requests go, I would really consider doing so but as always time is a factor. It does bug me so much that I must just end up doing it for the documentation. I will give debug mode a go.
Regards On 13 July 2015 at 13:17, Rainer Gerhards <[email protected]> wrote: > 2015-07-10 13:40 GMT+02:00 Gerhardus Geldenhuis > <[email protected]>: > > Hi > > I am struggling a bit to get rsyslog to work as described. > > > > <rant> > > Firstly the documentation is a struggle. There is some reference to old > and > > new style configuration but no clear differentiation between the two. > What > > makes it more confusing is that documents like > > http://www.rsyslog.com/doc/queues.html then refers to what looks like > the > > old style of config and none of the examples contains new syntax > examples. > > > > There was also an expectation that the new rsyslog package would install > a > > new style config but that turned out to be not the case. I deleted the > > config file and did a yum reinstall just to be sure. > > </rant> > > well, this is open source. Pull requests are always appreciated, > anything else happens as time permits ;) > > > > > OS: CentOS 7 > > RSyslog: > > rsyslog-8.11.0-1.el7.x86_64 > > rsyslog-relp-8.11.0-1.el7.x86_64 > > rsyslog-gnutls-8.11.0-1.el7.x86_64 > > > > So basically what I am trying to achieve is the following: > > > > - Log remotely to a rsyslog server > > - Turn off the remote server ( via firewall ) > > - Have logs be cached locally and saved to disk > > - Restart client server > > - Turn remote server back on > > - See cached logs appear in the remote server > > > > It does not work... > > > > - So more specifically, if I turn the firewall off, log a few messages > > and turn it back on then the caching works and I get the messages. > > - If however I restart the client server, the logs never make it to > the > > remote sever, I can see the logs in the cached file but it does not > get > > send to the remote server. > > > > My config on the client: > > #### MODULES #### > > module(load="imuxsock") # provides support for local system logging (e.g. > > via logger command) > > module(load="imklog") # provides kernel logging support (previously > done > > by rklogd) > > > > #### GLOBAL DIRECTIVES #### > > $IncludeConfig /etc/rsyslog.d/*.conf > > > > #### RULES #### > > > > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > authpriv.* /var/log/secure > > mail.* /var/log/maillog > > cron.* /var/log/cron > > *.emerg :omusrmsg:* > > uucp,news.crit /var/log/spooler > > local7.* /var/log/boot.log > > > > # ### begin forwarding rule ### > > $WorkDirectory /var/lib/rsyslog # where to place spool files > > $MainMsgQueueFileName LocalCaching # unique name prefix for spool files > > $MainMsgQueueSaveOnShutdown on # save messages to disk on shutdown > > # $MainMsgQueueType LinkedList > > $MainMsgQueueType Disk > > $MainMsgResumeRetryCount -1 # infinite retries if host is down > > > > *.* @@192.168.8.253:514 > > > > # ### end of the forwarding rule ### > > > > My config on the remote server: > > module(load="imuxsock") # provides support for local system logging (e.g. > > via logger command) > > module(load="imklog") # provides kernel logging support (previously > done > > by rklogd) > > module(load="imtcp") # needs to be done just once > > input(type="imtcp" port="514") > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > $IncludeConfig /etc/rsyslog.d/*.conf > > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > authpriv.* /var/log/secure > > mail.* /var/log/maillog > > cron.* /var/log/cron > > *.emerg :omusrmsg:* > > uucp,news.crit /var/log/spooler > > local7.* > > > > Any pointers would be appreciated. I am hoping I am missing something > > obvious or misunderstanding what I am suppose to be doing. > > > > You should run rsyslog in such a situation in debug mode.From the > debug log, we can see why it thinks it can't deliver to the remote > system (well, hopefully ;)). > > HTH > Rainer > > > Regards > > > > -- > > Gerhardus Geldenhuis > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Gerhardus Geldenhuis _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
