On Wed, Aug 26, 2015 at 8:35 AM, David Lang <[email protected]> wrote:
> On Wed, 26 Aug 2015, C. L. Martinez wrote:
>
>> On Wed, Aug 26, 2015 at 7:12 AM, Rainer Gerhards
>> <[email protected]> wrote:
>>>
>>> There were numerous changes to imfile. I suggest to go to the
>>> currently supported 8.12.0. If the problem persists, we can look into
>>> it.
>>>
>>> Rainer
>>>
>>
>> Ok, installed release 8.12.0. But when I startup rsyslog, returns the
>> following errors:
>>
>> Please use the global(net.enableDNS="off") configuration parameter
>> instead.
>> rsyslogd: error during parsing file
>> /data/config/etc/rsyslog/rsyslog-nsm.conf, on or before line 17:
>> parameter 'statefile' deprecated but accepted, consider removing or
>> replacing it [v8.12.0 try http://www.rsyslog.com/e/2207 ]
>> rsyslogd: error during parsing file
>> /data/config/etc/rsyslog/rsyslog-nsm.conf, on or before line 18:
>> parameter 'statefile' deprecated but accepted, consider removing or
>> replacing it [v8.12.0 try http://www.rsyslog.com/e/2207 ]
>>
>>
>> What dos it means "Please use the global(net.enableDNS="off")
>> configuration parameter instead"?? What option do I need to change??
>>
>> And "rsyslogd: error during parsing file
>> /data/config/etc/rsyslog/rsyslog-nsm.conf, on or before line 18:
>> parameter 'statefile' deprecated but". If I don't use a statefile, how
>> queues are managed??
>
>
> These are warnings, not errors. Everything should work as is (at least for a
> few more versions)
>
> instead of a whole bunch of $soemthing parameters followed by an action to
> define the queue for that action, you instead do action( queue.parameters=)
> instead. It makes it much clearer what affects what.
>
> for the moment you don't need to worry about it, but take a look at the
> documentation for details.
>
Ok, I solved previous warnings modifying config:
#rsyslog v8 config file
#### MODULES ####
# Input modules
module (
load="imfile"
mode="inotify"
)
# Suricata IDS logs
input (
type="imfile"
file="/nsm/logs/idpsuricata01/fast.log"
tag="suricata"
facility="local6"
severity="info"
)
input (
type="imfile"
file="/nsm/logs/idpsuricata01/http.log"
tag="url"
facility="local6"
severity="info"
)
#### GLOBAL DIRECTIVES ####
global (
workdirectory="/data/logs/rsyslog"
maxmessagesize="64K"
net.enabledns="off"
)
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Default spool directory
main_queue (
queue.FileName="mainq"
queue.Type="LinkedList"
queue.MaxDiskSpace="10g"
queue.maxfilesize="3g"
queue.Size="864000000"
queue.dequeuebatchsize="1000"
queue.TimeoutEnqueue="0"
queue.workerThreads="4"
queue.SaveOnShutdown="on"
)
Is it ok?? I don't know how to change the option
"$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat" to new
config. Any help??
On the other side David, any example about you explain me?? I need to
seggregate queues/actions using syslogtag, but I don't how can I
change my config to accomplish what you say.
My actual conf:
if $syslogtag == 'suricata' then {
action(type="omfwd" protocol="tcp" target="172.17.22.1" port="10514"
template="suricata_rfc5424fmt"
queue.filename="suricatafwd"
queue.maxdiskspace="1g"
queue.saveonshutdown="on"
queue.type="linkedlist"
queue.maxfilesize="5m"
action.resumeretrycount="-1")
stop
}
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
