I think stream compression was added to rsyslog around version 7.2 or so. If i recall correctly, CentOS 6 includes rsyslog v5.8, so you'll definitely want to upgrade your rsyslog version.
See http://www.rsyslog.com/rhelcentos-rpms/ for instructions on how to add the v8-stable repo to your /etc/yum.repos.d/ directory. -- Dave Caplinger, Director, Technical Product Management | 402.361.3063 | Solutionary — An NTT Group Security Company > On Oct 2, 2015, at 12:35 PM, Randy Baca <[email protected]> wrote: > > Thanks for the conf validation switch. Looks like we have a compatibility > issue. Most of our existing syslog servers are running on CentOS 6. Will an > upgrade of rsyslog resolve this, or do we need to convert the conf to legacy? > > module(load="imklog") > module(load="imuxsock") > module(load="imudp") > module(load="imtcp") > # In: 514/TCP (uses the same queue as UDP) > input(type="imtcp" > address="10.1.2.3" > port="514" > ruleset="ruleset_eth0_514") > # In: 514/UDP (uses the same queue as TCP) > input(type="imudp" > address="10.1.2.3" > port="514" > ruleset="ruleset_eth0_514") > # Out: UDP-spoof to the local and also forward to remote rsyslog > ruleset(name="ruleset_eth0_514" > queue.highwatermark 50000 > queue.fulldelaymark 20000 > queue.lowwatermark 2000 > queue.type="LinkedList") { > call action.local.udp515 > call action.fwd.remotebox > stop > } > # Fwd to localhost:udp/515 > ruleset(name="action.local.udp515") { > action(type="omudpspoof" > name="omudpspoof.local515" > target="127.0.0.1" > port="515") > } > # Fwd to remotebox w/ compression and local disk queueing > ruleset(name="action.fwd.remotebox") { > action(type="omfwd" > name="omfwd.remotebox" > queue.type="LinkedList" > queue.filename="omfwd_remotebox" > queue.size="10000" > queue.maxdiskspace="2G" > queue.saveonshutdown="on" > action.resumeretrycount="-1" > target="172.22.22.22" > port="514" > protocol="tcp" > compression.mode="stream:always") > } > > > Regards, > > > > Randy Baca > > ________________________________________ > From: [email protected] [[email protected]] > on behalf of David Lang [[email protected]] > Sent: Thursday, October 01, 2015 7:53 PM > To: rsyslog-users > Subject: Re: [rsyslog] Complex forwarding and spoofing question > > I'm not seeing anything obviously wrong, but you left out part of the config > (the module loading if nothing else) > > do > rsyslogd -N2 > to have rsyslog do a syntax check of the config and see if it's happy. > > David Lang > > On Fri, 2 Oct 2015, Randy Baca wrote: > >> Date: Fri, 2 Oct 2015 00:26:11 +0000 >> From: Randy Baca <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] Complex forwarding and spoofing question >> >> This is what I am using but nothing in a tcpdump going to local on port 515 >> or remote on port 514. >> >> # In: 514/TCP (uses the same queue as UDP) >> input(type="imtcp" >> address="10.1.2.3" >> port="514" >> ruleset="ruleset_eth0_514") >> >> # In: 514/UDP (uses the same queue as TCP) >> input(type="imudp" >> address="10.1.2.3" >> port="514" >> ruleset="ruleset_eth0_514") >> >> # Queue: UDP-spoof to the local and also forward to remote rsyslog >> ruleset(name="ruleset_eth0_514" >> queue.highwatermark 50000 >> queue.fulldelaymark 20000 >> queue.lowwatermark 2000 >> queue.type="LinkedList") { >> call action.local.udp515 >> call action.fwd.remotebox >> stop >> } >> >> # Fwd to localhost:udp/515 >> ruleset(name="action.local.udp515") { >> action(type="omudpspoof" >> name="omudpspoof.local515" >> target="127.0.0.1" >> port="515") >> } >> >> # Fwd to remotebox w/ compression and local disk queueing >> ruleset(name="action.fwd.remotebox") { >> action(type="omfwd" >> name="omfwd.remotebox" >> queue.type="LinkedList" >> queue.filename="omfwd_remotebox" >> queue.size="10000" >> queue.maxdiskspace="2G" >> queue.saveonshutdown="on" >> action.resumeretrycount="-1" >> target="172.22.22.22" >> port="514" >> protocol="tcp" >> compression.mode="stream:always") >> } >> >> >> >> >> ________________________________________ >> From: [email protected] [[email protected]] >> on behalf of Dave Caplinger [[email protected]] >> Sent: Thursday, October 01, 2015 2:09 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] Complex forwarding and spoofing question >> >> Looks like it's "queue.fulldelaymark" (and I presume "queue.lightdelaymark" >> may be related, but there's no description at >> http://www.rsyslog.com/doc/master/rainerscript/queue_parameters.html so I'm >> not sure yet what it does...) >> >> Thanks! >> >> -- >> Dave Caplinger, Director, Technical Product Management | 402.361.3063 | >> Solutionary — An NTT Group Security Company >> >>> On Oct 1, 2015, at 4:03 PM, David Lang <[email protected]> wrote: >>> >>> There is a queue parameter that tells rsyslog that if the queue is larger >>> than X, stop accepting inputs that can be delayed (like TCP) so that there >>> is space left for a burst of traffic from inputs that can't be delayed >>> (like UDP) >>> >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
